Cookiejacking Exploit Threatens Facebook Accounts

Thursday, May 26, 2011



Italian researcher Rosario Valotta has devised an attack method that exploits a flaw in the Internet Explorer browser which allows harvesting of digital authentication credentials.

The “cookiejacking” proof of concept, which was disclosed last week at the Hack in the Box security conference in Amsterdam, would allow an attacker to gain unauthorized access to Facebook, Twitter, Gmail, and other private user accounts.

“You can steal any cookie. There is a huge customer base affected (any IE, any Win version)... It is complicated for the attacker but not for the victim Valotta said.

The attack utilizes two previously known exploits, the first of which is the manipulation of file-sharing functionality built into IE developed by Jorge Medina, and the second is an advanced form of drag-and-drop clickjacking developed by Paul Stone.

According to a report in The Register, "the attack exploits a vulnerability in the IE security zones feature that allows users to segregate trustworthy websites from those they don't know or don't ever want to access. By embedding a special iframe tag in a malicious website, an attacker can circumvent this cross zone interaction and cause the browser to expose cookies stored on the victim's computer."

A video demonstration of Valotta's cookiejacking exploit can be seen on YouTube HERE.

Valotta notified Microsoft representatives of the vulnerability back in January, and the company is planning on issuing a fix to mitigate the flaw ready for release with other scheduled patches  in June and August.

"We are aware of an issue that could enable theft of a user's cookies if they were convinced to visit a malicious website and once there, further convinced to click and drag items around on the page. Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman Pete Voss said in a statement.

The disclosure of the cookiejacking exploit follows news of two other cookie-related vulnerabilities affecting LinkedIn users. Security researcher Rishi Narang discovered two vulnerabilities on the that leave member accounts open to takeover by attackers.

Narang identified the first vulnerability as being the presence of an "SSL cookie without [a] secure flag set," leaving a user's web browser cookies exposed and their account susceptible to hijacking. The problem is rooted in the fact that LinkedIn transmits the cookies in plain text and in an unencrypted form.

The second vulnerability relates to "cookie expiration and session handling," where "the cookie for an authenticated session is available even after the session has been terminated or way beyond the date of expiry (instead compared to session logout, it is valid for 1 year). There are examples where cookies are accessible to hijack authenticated sessions. And these cookies are months old..."

The availability of an authentication session cookie in an unencrypted form would allow an attacker to gain full access to a user's account, presenting the opportunity to modify information and setting, as well as exposing the user's network contacts to phishing and social engineering exploits.

Possibly Related Articles:
Network Access Control
Twitter Facebook Authentication Gmail Exploits Headlines Internet Explorer Cookies Cookiejacking
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.