Out-Law News 1 min. read
27 May 2011, 12:41 pm
Rosario Valotta claims to be able to steal IE users' log in details for Facebook, Twitter and Google Mail, but said that the technique, which involves stealing users' cookies that retain the information, can be used to steal data for virtually any website. Cookies are small text files that records information about users' online activity. Websites store cookies on users' computers.
“You can steal any cookie,” Valotta said, according to a report by The Register.
“There is a huge customer base affected (any IE, any Windows version),” Valotta said, according to The Register.
Hackers have to guess, or "sniff", an internet users' username for accounts, but can discover the log in passwords by circumventing users' security settings within IE by using "an advanced clickjacking technique", Valotta said in his online blog.
Clickjacking is when users click on a button that appears to serve an innocent function but reveals confidential information belonging to the user, such as cookies.
Valotta said he opened up a new window within internet users' browsers and devised a game for users to interact with in order to steal their cookies. Users that clicked on a basketball and dragged it through a hoop inadvertently would give hackers cookies that would contain password details for any website account they had logged into during that web session, Valotta claims.
Hackers also have to know which version of the Windows operating system their targets are using in order to locate the cookies in the correct folder, Valotta said.
“It is complicated for the attacker but not for the victim,” Valotta said, according to The Register.
Microsoft said that the complex process meant it did not consider the threat "high risk," according to The Register's report.
"We are aware of an issue that could enable theft of a user's cookies if they were convinced to visit a malicious website and once there, further convinced to click and drag items around on the page. Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Pete Voss, a spokesman for Microsoft said, according to The Register.
Voss said hackers could only steal cookies from websites the victim was still logged into, The Register report said.
Valotta said he first told Microsoft's security team in January about the flaw and said he had been told the company intends to fix the problems with updates in June and August, The Register report said.
