Microsoft does not consider cookiejacking a serious threat.
At a recent hacker conference in Switzerland, Italian researcher Rosario Valotta (Rosario Valotta) showed an interesting bug in IE 7/8/9, which allows copying cookies from a user's computer.
By analogy with clickjacking, the method works through a transparent iframe, where the list of files from the folder with cookies is displayed. Above it is placed another element that the user pulls over to another frame with minimal security settings (Security Zones in IE), in fact voluntarily giving the files to the attacker. In his blog, Rosario Valotta laid out a beautiful puzzle with a half-naked girl where the pieces of the mosaic need to be put aside - and in a few days he received cookies from 80 of his 150 friends on Facebook. The Valotta website on Google hosting is already disabled for violation of ToS.
For more information about the vulnerability, see his presentation at the hacker conference: see slides and videos .
')
Fragment with a demonstration directly kkidzhejkinga here .
Back in January, Rosario Valletta sent information about this bug to the Microsoft Security Response Center, but still has not received a response. Moreover, a few months later the final release of IE9 came out with the same bug, although it was obvious that they tried to close it, but not entirely successfully.
On May 27, Microsoft Security Response Manager finally officially commented on the so-called 0-day exploit. According to him, since such a method of theft of cookies requires the user to enter a malicious site and take certain actions, this attack is unlikely and Microsoft does not consider this vulnerability to be serious.
However, independent analysts believe that Microsoft is mistaken . According to them, only at first glance, cookie-guessing seems to be a primitive and non-technical exploit, but in fact it is an effective technique that can become very popular among intruders if the hole is not closed.
By analogy with clickjacking, the method works through a transparent iframe, where the list of files from the folder with cookies is displayed. Above it is placed another element that the user pulls over to another frame with minimal security settings (Security Zones in IE), in fact voluntarily giving the files to the attacker. In his blog, Rosario Valotta laid out a beautiful puzzle with a half-naked girl where the pieces of the mosaic need to be put aside - and in a few days he received cookies from 80 of his 150 friends on Facebook. The Valotta website on Google hosting is already disabled for violation of ToS.
For more information about the vulnerability, see his presentation at the hacker conference: see slides and videos .
')
Fragment with a demonstration directly kkidzhejkinga here .
Back in January, Rosario Valletta sent information about this bug to the Microsoft Security Response Center, but still has not received a response. Moreover, a few months later the final release of IE9 came out with the same bug, although it was obvious that they tried to close it, but not entirely successfully.
On May 27, Microsoft Security Response Manager finally officially commented on the so-called 0-day exploit. According to him, since such a method of theft of cookies requires the user to enter a malicious site and take certain actions, this attack is unlikely and Microsoft does not consider this vulnerability to be serious.
However, independent analysts believe that Microsoft is mistaken . According to them, only at first glance, cookie-guessing seems to be a primitive and non-technical exploit, but in fact it is an effective technique that can become very popular among intruders if the hole is not closed.
Source: https://habr.com/ru/post/120254/
All Articles