ID: IRCNE2011051123
Date: 2011-05-28
According to “CNET”, a security researcher in Italy has discovered a flaw in Internet Explorer that he says could enable hackers to steal cookies from a PC and then log onto password-protected Web sites.
Referring to the exploit as "cookiejacking," the researcher claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.
He acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the victim must drag and drop an object across the PC for the cookie to be stolen. But he said he was able to devise the right type of challenge on a Facebook page, thus allowing him to capture people Facebook credentials via a cookie. "I published a game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he said.
"Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman said in a statement to “CNET”.
- 2