Vulnerability "cookiejacking"

[WacoJohn]

http://news.yahoo.com/s/nm/20110525/tc_nm/us_microsoft_security

 

"Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email

 

Once a hacker has that cookie, he or she can use it to access the same site, said Valotta, who calls the technique "cookiejacking."

 

The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.

 

To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked.

 

That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman.

 

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

 

Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.

 

"Given the level of required user interaction, this issue is not one we consider high risk," said Microsoft spokesman Jerry Bryant.

 

"In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," Bryant said."

[ritchie58]

Interesting post WacoJohn. As a rule and as a security/privacy issue I always delete all my cookies including LSO's (supercookies) before I close the browser and run CCleaner afterwards. As a result it does take my search engine a little bit longer to boot up and my web mail client to load since those cookies have to be reinstalled every time. Perhaps this is a good thing after all and worth the extra time involved. Thanks for the info on that. Something to be wary of from now on.

[sweidre]

Hi WacoJohn & Ritchie,

Thanks for your posts! Is really deleting cookies (& LSOs) at browser closing enough? I think, that cookies must be cleared already during the browsing! Most browsers have an add-on to clean all cookies at any time! I have not checked all, but Slimbrowser, FF, & Chrome have it! IE, FF & Chrome have also the possibility to switch to Private mode or Incognito mode respectively (and back to Normal mode again!) My Slimbrowser has no Private mode, though!

Cheers,

sweidre

[ritchie58]

I use an enhanced cookie manager called CookieCuller that can delete cookies on the fly. In fact if I'm done with a particular web site I'll use CookieCuller to delete any cookies that web site installed if I'm not through with the browser. Always keeping cookies at their minimum. For LSO's I use BetterPrivacy to delete them manually or automatically.

[ritchie58]

I use an enhanced cookie manager called CookieCuller that can delete cookies on the fly. In fact if I'm done with a particular web site I'll use CookieCuller to delete any cookies that web site installed if I'm not through with the browser. Always keeping cookies at their minimum. For LSO's I use BetterPrivacy to delete them. I also use the custom privacy setting for FF. Where all private data is suppose to be deleted when the browser closes. It never does a 100% job so that's why I use CCleaner after the browser closes to make sure all private data is wiped out for good.

[ritchie58]

Sorry about the duplicate. I edited the post, tried to resubmit and got timed out several times. Now there's two, weird.

[sweidre]

I use an enhanced cookie manager called CookieCuller that can delete cookies on the fly. In fact if I'm done with a particular web site I'll use CookieCuller to delete any cookies that web site installed if I'm not through with the browser. Always keeping cookies at their minimum. For LSO's I use BetterPrivacy to delete them. I also use the custom privacy setting for FF. Where all private data is suppose to be deleted when the browser closes. It never does a 100% job so that's why I use CCleaner after the browser closes to make sure all private data is wiped out for good.

Yep! I think that FF has got all necessary add-ons! I'm not using CookieCuller, but Cookie Manager Button (on the fly) & CookieSafe. I have BetterPrivacy setup, so that FF ordinary tool "Remove All History" at browser closing has an separate box Flash Cookies, thus (translated straightly now from Swedish):

v Visited pages filefetching history

v Forms & Search History

v Cookies

v Cache

v Active Logins

v Site Specific Settings

v Session Manager Saved Session (mostly I have this option unticked, because I want to save at least 10 sessions using Session Manager = a security leakage caused by myself)

v Flash Cookies (this option is added thru setting in BetterPrivacy)

I have an FF extension called Click&Clean (exists also in Chrome), that cleans all browsing history at browser shutdown (incl. cookies) automatically. Click&Clean has an option to add an external cleaner (e.g. Wise Disk Cleaner or CCleaner). I have selected Ccleanerx64.exe, so it cleans at every browser shutdown.

So regarding FF there are many good security extensions to choose between. So securitywise for me FF is a must have browser!

Cheers,

sweidre

[ritchie58]

That's another add-on I use too Sweidre! I have it configured to clean everything when the icon is clicked before the browser closes and to also automatically load CCleaner once the browser closes, ready to run. It is an almost needed app for this version of FF since Mozilla did away with the icon that performed that function in earlier versions. I use to keep that default icon in the navigation bar for quick access. I get a kick out of Click&Clean's icon, a roll of toilet paper, lol! Wiping all that unnecessary stuff away! I think it's funny.

[ritchie58]

I know this is off track of the original post by WacoJohn but I did want to mention to you that they also did away with the default restart icon. There's a add-on called Restart Firefox 0.5 that will add the missing icon. I also added that to the navigation bar along with the reload current page icon too. I like quick access to the tools that are used on a regular basis.

[sweidre]

There's a add-on called Restart Firefox 0.5 that will add the missing icon. I also added that to the navigation bar along with the reload current page icon too. I like quick access to the tools that are used on a regular basis.

Yes, I was missing the Restart icon, so I added "Restart Firefox 0.5".Good! Then I found "Memory Restart 1.3" = "greenish icon" showing the memory used both under the icon but also in the statusbar. Default "max" is 500 MB, but it can be changed. If ticked, FF can be automatically restarted when the "max" limit is surpassed! I did not have to add the extension "Reload Current Page", because it was already in FF as default (first it was malplaced in the addressbar, then it jumped to the right of the addressbar. I have a Swedish version of FF4.0.1 so all default features are in Swedish ("Ladda om sidan" ="Reload Current Page"). But extensions, that I add to the default (basic) FF are all in English. There are so many extensions available, so I will now concentrate upon having many security extensions and very few others. (Too many extensions will hamper speed!)

Cheers,

sweidre