Internet Explorer "Open Cookie Jar"Cookies stored by IE for Windows can be read by any Web site
Any Web site that uses cookies to authenticate users or store private information -- including Amazon.com, HotMail, Yahoo Mail, DoubleClick, MP3.com, NYTimes.com, and thousands of others -- could have cookies exposed by Internet Explorer and intercepted by a third-party Web site.
How it worksUsing a specially constructed URL, a Web site can read Internet Explorer cookies set from any domain. For example, to read a user's Amazon.com cookie, a site could direct the user's browser to:http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.comIf you replace the "%2f"'s with "/" characters, and the "%3F" with "?", this URL is actually:http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.comBut IE gets confused and thinks the page is located in the Amazon.com domain, so it allows the page to read the user's Amazon.com cookie.
Affected:Internet Explorer (all known versions) for Windows 95, 98, NT, and 2000. IE for the Macintosh does not appear to be affected. Users have reported that IE versions for Solaris and HP/UX are vulnerable, but IE's browser share on UNIX platforms is much lower. No version of Netscape Navigator or any browser other than Internet Explorer appears to be vulnerable.
Workaround:As of 5/18/2000, Microsoft has released a patch that fixes this problem:http://www.microsoft.com/technet/security/bulletin/ms00-033.asp If you do not want to download the patch, the safest workaround is to disable cookies. You can do this by going toTools->Internet Options->Securityand click the button to customize security settings, and set cookies to "disable". (Note that this will cause some sites such as HotMail to break.) Also, if you have Netscape's browser installed, it is not affected by the bug.
ImplicationsJamie McCarthy came up with a list of cookies set by various sites that could be used to retrieve sensitive information:
By intercepting a cookie set by HotMail, Yahoo Mail or any other free Web-based email sites that use cookies for authentication, the operator of a hostile Web site could break into a visitor's HotMail account and read the contents of their Inbox. (HotMail cookies do not contain user passwords, but they do allow a third party to access a user's HotMail account for as long as that user stays logged in, since each separate login generates a new cookie.)
A user's Amazon.com cookie could be used to visit Amazon.com impersonating that user, and access their real name, email address, and the user's list of "recommended titles" -- which can be used to determine what types of books or CD's the user has purchased from Amazon in the past. (You cannot, however, access the user's credit card number or their actual list of previous Amazon.com orders, since accessing this information requires a password that is not contained in the cookie.)
A user's MP3.com cookie stores their email address.
A user's NYTimes.com cookie stores their NYTimes.com password. This isn't useful by itself, since the password is only needed to browse articles on NYTimes.com, but exposing this password is still dangerous since users might have the same password set up for several different sites.
A user's Hollywood.com cookie stores their city, state, and zip code.
A user's Playboy.com cookie stores the fact that the user has visited Playboy.com -- which not every Playboy visitor would want the whole world to know. (Yeah, we know, you just wanted to read the Jesse Ventura interview.)
A user's Zip2.com cookie can be used to access the user's home address.
(Source:http://www.peacefire.org/security/iecookies/)
No comments:
Post a Comment