Security News > 2000 > May > MSIE's cookie jar is public

MSIE's cookie jar is public
2000-05-11 21:00

Bennett Haselton has discovered another security flaw. This one allows any hostile website to read cookies on its visitors' hard drives. It's being called the "Open Cookie Jar." The vulnerability is due to a bug in the Javascript implementation of Microsoft Internet Explorer, running on Windows and (according to unconfirmed reports) running on unix as well. The bug does not affect Netscape's browser, nor the Macintosh version of MSIE. We have had reports that the bug exists for versions of MSIE from 4.0 to 5.5beta. The workaround is to turn Javascript off in MSIE - or to switch to a different browser. Internet shopping, of course, is built on cookies, and MSIE running on Windows is the majority browser. It is unknown the impact this vulnerability will have, but I would estimate it to be major. Essentially the problem is that MSIE's Javascript function "document.cookie" interprets its source URL incorrectly. If that URL has the "/" following the domain name replaced with its hex encoding of "%2f", Javascript believes the URL's path is part of the machine name. By inserting ".amazon.com/" later in the path, Javascript is fooled into exposing Amazon's cookie - which can then be delivered back to a hostile third-party server. The third-party server can then use the cookie, at that time or a later date, even on an ongoing basis, to access information on Amazon's server which is keyed to the user's cookie. Your name, for example, is readily determined from your Amazon cookie, as well as your book and music recommendations. Amazon is just an example we used for our demonstration. Sometimes, of course, just having the cookie violates the user's privacy. Many sites store the user's name, email, zip code, or other personally-identifiable information unencrypted in the cookie file. With this vulnerability, now everyone knows you're a dog! And it's possible, I believe, to build an exploit which can under some circumstances can use 1-Click-style ordering to deliver someone a thousand books which they don't want. A denial-of-service on their credit card, if you will. However, I have not tried to construct a demonstration of such an exploit. Still, everyone should be aware that using Javascript on MSIE has profound implications for system security. Bennett and I broke the story here: http://peacefire.org/security/iecookies/ http://slashdot.org/article.pl?sid=00/05/11/173257 And see also: http://www.newsbytes.com/pubNews/00/148908.html http://news.cnet.com/news/0-1005-200-1857707.html -- Jamie McCarthy jamie () mccarthy org http://jamie.mccarthy.org/ ISN is sponsored by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".


News URL

http://peacefire.org/security/iecookies/