“Cookiejacking,” anyone?
In the last few days, a new vulnerability in Microsoft Internet Explorer has made its way through the media. Disclosed at the Hack on the Box conference by the independent researcher Rosario Valotta, this flaw takes advantage of a property of HTML5 to steal the cookies from its victim.
This kind of attack, called cookiejacking by Valotta, bypasses all the security measures in Internet Explorer and works on any version of the application and Windows.
Sounds scary, doesn’t it? Well, this threat is really more noise than anything, and we’ll explain why.
First, unlike other truly dangerous attacks or malware that are completely silent (as PinkSlipbot), this attack requires the victim to visit a malicious site and commit a drag-and-drop action. Also, the attacker must know the victim’s Windows username and where cookies are stored.
Second, although many sites leave their cookies in plain text, the cautious ones (such as banks) keep those values encrypted so that attackers can’t easily gain usernames and passwords.
Third, ask yourself a question: How many times have you been working on a site you’ve logged into and when you refresh a page or move on the site you find you need to log in again? More than once, yes? That’s because almost every website that uses cookies gives them a very short lifespan, so even if someone manages to steal your cookies, the attacker would have to use them within the timeframe.
If this low-likelihood attack is successful, the attacker will have a complete history of your browsing–which sites have you visited and how frequently–so you could start seeing a lot of spam/phishing designed especially for you.
If you’re truly unlucky, the attacker will catch your usernames and passwords of the sites that store them in plain text, so someone could adopt your identity on those specific sites. But remember, sites that manage sensitive information use encrypted cookies.
Could this scenario be dangerous? Sure.
But is it dangerous by itself? Not so much, and you can very easily prevent falling for this kind of attack.
Be careful where you go on the Internet. Do you see a link with a new online game? Search for it first, and read the comments! Has a friend sent you a Facebook invitation that seems strange or out of place? Don’t go! Ask your friend about it.
Keep your cookies clean, delete them regularly, log out of any important website every time you finish your business. These are simple steps, but they will invalidate those cookies. And, finally, never, ever allow a website to remember your sessions! That keeps your cookies valid for future sessions.
Really, all we need is a bit of caution.
M. Francisca Moreno Vilicich and Alfonso A. Kejaya Muñoz of McAfee Labs Chile made major contributions to this blog.