A computer security researcher discovered a bug in Microsoft Corp.'s commonly used Internet Explorer browser, which he claims might allow hackers to steal passwords to access websites such as Facebook, Twitter, and others.
He refers to the tactic as "cookiejacking."
“Any website will do. Any cookie will do. “Your creativity is the only limit,” Rosario Valotta, an independent Internet security researcher based in Italy, said.
Hackers may use the bug to gain access to a "cookie," a data file located within the browser that contains the user name and password for a web account, according to Valotta.
According to Valotta, who calls the method "cookiejacking," if a hacker has the cookie, he or she will use it to access the same platform.
The flaw affects all versions of Internet Explorer, including Internet Explorer 9, on any version of Windows.
Before the cookie can be hijacked, the hacker must convince the user to drag and drop an icon onto the PC's computer.
That may seem to be a daunting challenge, but Valotta claims he was able to complete it relatively quickly. He created a puzzle that he shared on Facebook, challenging users to "undress" a screenshot of a beautiful lady.
“I posted this game on Facebook, and more than 80 cookies were sent to my server in less than three days,” he said. “On top of that, I just have 150 friends.”
According to Microsoft, the chances of a hacker succeeding in a real-world cookiejacking scam are slim.
According to Microsoft spokesman Jerry Bryant, “given the amount of required user engagement, this problem is not something we consider high risk.”
“To be affected, a user must access a malicious website, be persuaded to click and drag things across the screen, and the intruder must target a cookie from the website the user was already logged into,” Bryant said.