Slashdot Mirror
MSIE's Cookies Are Public
Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.
Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.
Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.
Or, you could migrate to another browser or operating system...
We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.
After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."
Newsbytes and CNET have picked up this story and have good writeups.
> what is M$ bashing FUD and what is a valid opinion?
What really matters is, how long until a fix is out, and what other problems will the fix introduce?
--
Sheesh, evil *and* a jerk. -- Jade
A quick update: I did a "cut and paste" of the statement made by peacefire.org here on Slashdot and have sent it on to Microsoft's Security team as a high-priority mail message.
Raymond in Mountain View, CA
A post on the NTBugTraq list calls this story a "hoax". Perhaps that's overstating it, but it's a good example of the danger of jumping to conclusions.
The poster says that the demonstration script uses document.write to display the contents of a cookie in the browser window. Nowhere is it explained how the information might be transmitted back to the server.
I haven't investigated the code myself, just passing along the comments of others.
you're forgetting about "gift shipments".
step 1: get person's cookie file
step 2: sign onto ecommerce service as person
step 3: change the person's default email adress with the service to a hotmail account (so they won't notice the "item hasbeen shipped" thing)
step 4: mail something, as a "gift", to a P.O. box. they will let you do this.
If you get lucky no one will notice. Scarily enough, this would work.
Irritable, left-wing and possibly humorous bumper stickers and t-shirts
Open-source webserver Apache fixed its 404 not found page to escape the name of the URL, but most dynamic websites still haven't fixed all of their code.
Coincidentally, I had just been reporting a bunch of bugs about bugzilla (mozilla's bug-tracking system) not being careful with untrusted data when these slashdot articles come up. I'm actually more worried about attacks against mozilla's CVS system than its against its bug-tracking system, but I haven't looked for bugs there yet.
--
The shareholder is always right.
If this is occurring even on Apache, then we may have a MAJOR security problem here.
This could indicate that Javascript (or ECMA-242 script as it's sometimes known) in general can cause a security leak. They better start testing this on Netscape Navigator 3.x and all Netscape Communicator versions NOW to see if Netscape is also vulnerable to this bug.
Raymond in Mountain View, CA
Heres How...
1. Write book ( Something catchy and trendy ie. "Whats good for MS is good for America" ).
2. Build a website to promote your book.
3. Scan for BN and Amazon cookies from those who visit your site.
4. Build a LWP Perl script and batch order copies of your book to those fools who visit your site with cookies enabled.
5. Collect your royalties and move offshore.
I have tried the demo by Jamie (go to Hollywood, etc.) and then a window opens with many frames. All contain "ERROR 205 -- DNS name lookup failure. Please contact your system administrator." from the proxy but for http:/ /www.securityspace.com%2fexploit%2fexploit_1e.html %3fa=.hollywood.com/ that has a Hollywood.com window saying "That user doesn't exist".
When I tried the box and button on Securi ty space, I get "www.slashdot.org's cookie is:".
I run IE 4.0 in NT and have Junkbuster set to allow cookies only to sites I trust.
I also have a company proxy to access the web.
__
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
The "hidden" troll forum is currently up to about post #2100, and all of them are genuine posts rather than bot-generated. So you still come in second with about 800 posts :)
http://somewhere.com/%2ftest.php3?q=8
replaces the %2f with a / on my apache server. That's all. I guess there is a problem with your apache configuration. Since you seem to be called Jonathan Clark and the URL apache returns for you contains
I'll do it for cheesy poofs.
Comment removed based on user account deletion
Comment removed based on user account deletion
I would quit my job immediately if my employer installed filtering software. For God's sake, why would an employer want to forbid their employees from educating themselves?
It's mostly to stop the idiots in sales from surfing for pr0n.
Revealing proprietary, trade secrets on a public web site? Let's face it, this is MS, there is no way this is a security hole, they are too "innovative" for that kind of sloppy work to get through. This must be a special "enhancement" they made to the way javascript works, and as such, is covered under the DMCA.
:)
I'll be it's another letter for you guys
Finkployd
... whether peacefire.org is going to get threatened by Microsoft under the DMCA for releasing these "trade secrets" ?
OK, here ends the simple "anti-MS" part of the post (fun though it was for me). Please, folks, let's just look at this as simply a data point and a public-service announcement. Yes, it's a hole in IE; it's a safe bet that every significant piece of software's got holes.
Let's see how fast MS is able to get a patch out; this one's big enough for them to really worry.
"Oh, I hope he doesn't give us halyatchkies," said Heinrich.
ROTFLMAO
OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'
It makes the Internet all that much closer to you, as well as your machine:in both directions.
Well, maybe the above thought is incorrect.
Anyway, I'm thinking something blasphemous. M$ complains that splitting it up will hinder it's ability to 'innovate' and 'compete'. Isn't that the point? If M$ can't expect to release a decent Office or X-Box or IE without access to the OS group, how is Netscape, or Corel, or anyone else expected to 'innovate' and 'compete' if M$ cannot?
There are people complaining about how breaking up M$ is bad, but I'm wondering, if M$ restructures itself in such a way that the OS department can still freely communicate with the Apps department, but in a way that is public and open, doesn't *everyone* win?
-AS
-AS
*Pikachu*
I am just trying to think of how Mico$oft marketing will try to explain this as a feature....
"It is a greater offense to steal men's labor, than their clothes"
Maybe a breakup is a good thing. Its about time that Micorosoft re-discovers the meaning of the words, pride.. integrity.. fun.. innovation.. excellence. Instead of of their usuall fair which consists of market capitialization, share value, PR, equity.
Microsoft has alot of good people working for them, and I have had the pleasure of working with some of them. To bad the company's sense of responsibility, and integrity is off smoking a $3 sack of crack.
My humble opinion.....
-Nathan
Anyone with a packet sniffer can see your cookies. They are not normally encrypted. Web developers should not be putting sensitive information in cookies or using cookies as the only verification needed for secure tasks, like on-line purchases. Sites like Yahoo are very careful to require a password before letting you edit sensitive data, even if you have a cookie.
With a policy like that, it really doesn't matter if the entire world looks at your cookies.
What about Intranets? Companies are using these for a lot of things now, including sensitive strategic and HR data.
Now anytime a boss visits a hostile web site, he may be giving away the keys to the company's proprietary data. Even if personal web sharing is not allowed, a hostile employee and and outside confederate could easily stir up a lot of trouble.
Post may contain irony: discontinue use if experiencing mood swings, nausea or elevated blood pressure.
Test your for your Slash Dot Cookie
Mine was choclate chip Mmmmm
"`Ford, you're turning into a penguin. Stop it.'" -THHGTTG
So anyone can read the document and create an implementation without Microsoft's permission now? They don't have to illegally copy the document or anything. I'm curious to know how the situation stands right now.
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
However, be sure to note that the only reason this stops this particular exploit is because the page is coded to check for the browser. If it wasn't, then simply sending a different User-Agent would be no protection at all.
Right. And it has this in the license:
...Microsoft grants to you the following...to reproduce and use a reasonable number of copies of the Specification in its entirety for the sole purpose of reviewing the Specification for security analysis...
Doesn't posting on Slashdot count as this????
There comes a time in every man's life when he must say, "No mother! I do not want any more Jell-O!"
That beats mine by a longshot. BTW, do you have any references so we know that you didn't keep our passwords? You da man.
numb
I can do that with Netscape too.
The difference is that anyone (skilled enough) can fix linux problems. Only Microsoft can fix MS problems - if/when they get around to it.
Besides, bashing M$ is fun. Bashing the under-dog would be seen as cruel!
Actually the article just says that you can't get to credit card info or other account maintenance things because you are asked to type a password. This is correct. However, if the user has set up one-click on the computer you stole the cookies from, you probably can one-click order stuff. There is no password required for one-click (just "one click"). It's all based on cookies. Of course, whatever you order will be shipped to the victim and not to you, but you'll still run up their credit card bill :(
-- Erv Walter
Well, yeah, but all the stuff will go to the poor sap whose cookies you stole. Hey, you could order him lots of pr0nography and stuff--let 'im explain that to his significant other.
unDees
"I call a baby goat a 'goatse.'" -- my non-Internet-savvy 6-year-old stepdaughter
So its no longer a trade secret. Its still a copyrighted document and is still protected as such.
"But remember, most lynch mobs aren't this nice." (H.Simpson)
-- Joe
It posts, but anonymously.
Rule of thumb: if you want security or privacy, do not use a Microsoft product.
--
--
Don't like it? Respond with words, not karma.
...writing the PHP script so that it makes people's browsers post the following:
===================
Subject: Can You Imagine...
Body:
...a Beowulf Cluster of these?
Thank you.
===================
You would have earned a place in the annals of Slashdot history.
Take care,
Steve
========
Stephen C. VanDahm
It's totally configurable, you can design any filters you want - but I'm so happy with the default that I just leave it at that. (particularly I like the agent and referer masking.)
Since search.pl echoes what you type in "Searching blahblahblah" without stripping the JavaScript, you'll get an alertbox when you view the page.
drwiii's page works like that. That page redirects to something like this URL:
(Actually, the "+" and perhaps the ";" would need to be changed to "%2B" and "%3B" in the URL.) EvilSite's CGI script receivesOriginally, drwiii's script used /.'s 404 page, which was optimized for people who accidentally made links like this. That loophole got closed after the server move.
--
New empires...began ebbing and flowing all over the place like Moon Pies on a hot sidewalk.
..!!in an intastella burst i am back to save the universe!!
I think your post is a bunch of mindless ranting and highly overrated. I don't usually jump to Microsoft's defense but there is no way your post deserved a 5.
.vbs file to activate it. You don't go around running executables do you? So this virus/trojan is nothing more than a case of uneducated users trusting something they shouldn't.
First of all, to the cookie issue: turn off Javascript, OR go into the security settings and disable cookies that are stored on your computer. OR wait a brief moment and Microsoft will have a patch out. OR use any number of 3rd party cookie filtering programs that are out there. Personally I think neither Netscape, nor IE provide sufficient cookie control and management capabilities.
Also, let's keep some perspective and remember that both IE and Netscape have had vulnerabilities uncovered. They both make mistakes, they both fix them. Let's move on.
As to the ILOVEYOU stuff - to the best of my knowledge, you had to click on the
I DO think Microsoft should not allow their script language to poke through your address book. Newbie computer users would be less likely to trust this type of trojan if it wasn't a friend of theirs in the From: field.
The rest of your rant about the trade secrets and UCITA is nothing more than mindless Slashdot karma whoring. *yawn*
Best regards,
SEAL
I can't help but think - what if someone grabs my cookie file and mails it to my mother? This is the worst thing to happen since the "History" list in the browsers ...
;)
ahhhhhhhhck.
The real security blunder here is sites storing sensitive information in cookies. Idiot moves by microsoft should be anticipated, and _no_ sensitive information should be stored in cookies.
makes you wonder how long microsoft has been collecting cookies from other web sites
g
A bit offtopic...
While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.
So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.
Think of it as evolution in action.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
Did you get a copy of the ILOVEYOU email or attachment? Did you look at the source code? I did. I can tell you for a fact that you had to open the attachment through Windows Scripting Host for it to do ANYTHING! It was a Visual Basic script. Those don't do anything by themselves. I have a copy of it on my HD, and all my jpgs and mp3s are just fine...
Go read the article you posted the link to. All references to ILOVEYOU are *COMPARISONS*.
They quite clearly state: "Email viruses are now spreading WITHOUT THE USER OPENING ANY ATTACHMENT..... This is by far the fastest growing virus distribution problem and ripe for a hugely destructive event - at least as large as the ILOVEYOU virus." They make no claims about ILOVEYOU spreading in this manner. They simply use the havoc-level of ILOVEYOU as a baseline for destructiveness.
The virus they are referring to in this case is the Kak virus.
Eric
put the Kerberos spec from MS in my cookie file.
That way they will be responsible for distributing their own trade secrets through their own security holes.
Then, they can sue themselves.
Comment removed based on user account deletion
The default installation of Proxomitron disables this exploit without sacrificing the Javascript functionality needed to enjoy the majority of sites. Cool.
After what I've seen today, I'm not about to click on that.
numb
Why is that interesting? Because, MS is arguing that consumers need MS to remain one company so the OS side and software side can work close together and provide us with more powerful software, and breaking them up would stiffle "innovations" in future products - resulting in less powerful and less user-friendly tools for consumers.
MS expects people to believe that, when they can't even effectively share algorithms, programming procedures, and code within the same software product?
MS = BS;
My karma is in a nose dive
As was pointed out a lot of sites use cookie to maintain session. Therefore if I can steal the session ID for lets say Amazon I could send you $20000 dollars of books as a joke. That is not funny.
This hole depreciates the value of "Netscape" cookies which is a nice way to maintain session with a connectionless protocol.
Oh GOSH. Now they have the fake name/address/e-mail I always put on stupid registrations. So let Bob Gobman at 1 Happy St. get all the junk mail destined for me. And let the unfortuneate fellow whos e-mail is bob@bob.bob get all the spam destined for me.
Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book. And if you are THAT paranoid about common public information, the DON'T POST YOUR REAL DATA!!!
Network Security: It always comes down to a big guy with a gun.
I am shocked. This is pathetic.
If I were the Justice Department (or United Nations, or DoD, or CIA, or FBI, or ANYONE who gave a damn about security ) I would be seriously considering if Microsoft products have any place on my desk, in my office or in my life. The open cookie jar isn't so much what bothers me but this is the straw that brakes this camel's back.
Microsoft's attitude toward security and toward the end user in general is atrocious. I don't really care what you think, but it IS Microsoft's fault that the default install of Windows 98 using the default mail client simply by reading the ILOVEYOU message will be rendered useless. Now this???? I mean COME ON!
Oh and BTW... the whole Kerberos thing? Microsoft released the specs as a trade secret. TRADE SECRETS HAVE NO PROTECTION UNDER THE LAW ONCE THEY ARE LEAKED . That's why they are guarded so viciously.
Oh, and another thing which is completely offtopic: I think that the UCTIA, Section 307, Subsection 2(e) invalidates the GPL!!! It is a description of what kinds of software licenses are valid. It reads "(e) Neither party is entitled to receive copies of source code, schematics, master copy, design material, or other information used by the other party in creating, developing, or implementing the information."
This would seem to mean that no one needs return code as the GPL demands. What do you guys think???
There comes a time in every man's life when he must say, "No mother! I do not want any more Jell-O!"
I mentioned this yesterday in the Hotmail thread but it kinda got lost in the shuffle. Slashdot should post an article about the "client-side trojans" discussion that is going on at Zope. Slashdot isn't the only site affected by this--and it's a simple hack:
:)
WARNING: Clicking this link will cause an article to be posted on Slashdot in your name
Obviously such a link wouldn't need to warn you what is does, or post such an innocuous message. Maybe I could make it post you slashdot cookies to o
You can see the results in sid=numb and there is a link to the source in there too.
numb
I noticed this exploit causes problem with Apache as well. This could possibly cause a security hole somewhere :
when I specify a URL like this:
http://www.somewhere.com/test.php3?q=8
apache correctly reports:
"Host: www.somewhere.com"
but when I specify a URL like this:
http://www.somewhere.com%2ftest.php3%3fq=8
apache reports:
"Host: www.somewhere.com/jc/test.php3?q=8"
This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.
But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.
-- Virtual Windows Project
HowTo turn-off scripting holes in outlook/IE.
------------------------------------------
In outlook/IE,
tools -> options -> Security -> Zone settings -> Custom level ->
under the scripting section disable
Active scripting,
Allow Paste operations, and
Scripting of Java applets.
Press ok till you are back in outlook/IE.
then you will not be at risk for a copy-cat ILOVEYOU virus or IE cookie monsters.
(Of course you all probably did this the first day you opened outlook, right.)
------------------------------------------
PS --
Here is very nice solution to the
(add
I'm not sure how to implement this in Exchange, though.
(from Rick Johnson off the saclug.org mailing list)
-- Andy
* "Uncle this droid is malfunctioning" -- Luke Skywalker
So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"?
1. with my cookies, 1-click enabled.
2. close browser, remove amazon cookies.
3. open browser, amazon askes me to log in; no 1-click
4. close browser, put amazon cookies back
5. open browser, amazon recognizes me, 1-click enabled, no password required.
Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
And if you want to still use Javascript at certain sites but not promiscuously ;) get IE power toys (tools) at the microsoft web site and set up the internet zone as the other people have said and set the trusted zone to allow javascript (since some sites won't work at all without javascript).
The power tools allow you to switch a site into the trusted zone just by clicking
Tools>Add to Trusted zone
and you can delete the site from your trusted list in the usual manner (Tools>InternetOptions...>security>trusted sites remove)
This makes it easier to allow cookies at Slashdot and not at Joe Website who hates all people and will screw them over any chance he gets.
-------- This space intentionally left blank --------
I reported a similar bug to Microsoft on March 19th. My particular example was a URL in the form "http://10.0.0.1%20.msn.com/foo.html" which causes IE to load content from 10.0.0.1 but the Javascript code thinks it is .msn.com; this is a symptom of either the same problem or a very similar one.
However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.
You believe that disabling javascript or turning off cookies completely is an acceptable solution to this problem?
If a security hole is found next week, in something that can't be disabled, will your suggestion be: "what's the big deal don't surf for a while. I'm sure Microsoft will have a patch out soon."
While the post you're responding to did ramble, I think that a person is justified in being tired of the poor designs force fed to most of the world by Redmond.
And the idea that we shouldn't get upset, because there will *probably* be a patch to fix the problem makes me sad. With that kind of thinking out there things aren't going to get better any time soon.
Hmm.. I only have IE for Solaris installed on this box for just such occasions.
--
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...
Is this Slashdot slowdown just a coincidence? I think not. Slashdot is now the victim of an official Microsoft Denial of Service Attack.
Slashdot has crossed the line and is hurting our American Company's Freedom to Innovate.
Also, this temporary Explorer snafu makes it quite clear that Microsoft doesn't steal everything from open source!
blessings,
Master Bait
"Only in their dreams can men truly be free 'twas always thus, and always thus will be."
--Tom Schulman
But this bothers me and sounds similar to the bug reported at CookieCentral a long time ago. I'm trying to digest how this is different and what danger (and likelihood of appearance) this represents "in the wild".
Answers here or to me by email would be appreciated.
Get Veiled
If the folks at Peacefire did not reported these problems to Microsoft's Security team, then they are essentially doing a major disservice to the public.
Hopefully, they do know Microsoft's address for reporting security issues: secure@microsoft.com. That address is monitored 24 hours a day and the MS security folks will try to replicate the problem ASAP.
Raymond in Mountain View, CA
Fun with Amazon's One-Click Shopping, or "you mean you didn't order five hundred copies of Joy of Preteen Sex?"
Doesn't Amazon's proprietary exclusive patented HANDS OFF IT'S OURS AND YOU CAN'T HAVE IT One-Click Shopping system use cookies to save buyers those arduous extra clicks? And doesn't this mean that someone using this exploit can then get your personal buyer's information? ("Your," not "my", at least until Amazon stops suing people right and left.)
Gee, I guess it's a good thing that Amazon has defended their patent so vigorously, or else customers of other companies would be equally at risk.
By the way, this is off-topic, but I figure readers would be amused. Who is to blame for the "ILOVEYOU" worm? Those funloving Filipino folks who wrote it? Microsoft, for making their scripting language so insecure and so easy to subvert? Why no. According to those geniuses in Congress, the $15-billion dollars in damages (I wonder why they didn't say "$15-trillion" or $15-quadrillion" as long as they were pulling numbers out of thin air) are due to the slackness and irresponsibility of McAfee, the anti-virus vendor. I've got to be kidding, right? Well, check it out.
Yours WDK - WKiernan@concentric.net
Of course, you can place the orders using you Amazon Affilate Sote, giving yourself a small percentage. But I think that would make it a tad too obvious as to who the culprit was. Unless it was your friend's store. :)
If a security hole is found that can't be worked around, then yes, wait for a patch. Same thing you would do with Netscape.
Both Netscape and Microsoft IE have had security problems but Slashdot holds Microsoft to a different standard.
Witness an OLD OLD bug:
http://www.ciac.org/ciac/bulletins/i -040.shtml
Sounds familiar, doesn't it? What happened? It got fixed. And this certainly is not the only Netscape bug that has ever surfaced.
Security problems are going to be discovered. Humans make mistakes. The key is to respond to the problems swiftly, and try not to rush products out the door without proper testing. I think both MS and Netscape were guilty of the latter for a long time.
Best regards,
SEAL