Slashdot Mirror

← Back to Stories (view on slashdot.org)

MSIE's Cookies Are Public

Posted by jamie on from the who-else-has-known-about-this? dept.

If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

Or, you could migrate to another browser or operating system...

We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

Newsbytes and CNET have picked up this story and have good writeups.

14 of 241 comments (clear)

  1. You too can be a best selling author by Camel+Pilot · · Score: 4

    Heres How...

    1. Write book ( Something catchy and trendy ie. "Whats good for MS is good for America" ).

    2. Build a website to promote your book.

    3. Scan for BN and Amazon cookies from those who visit your site.

    4. Build a LWP Perl script and batch order copies of your book to those fools who visit your site with cookies enabled.

    5. Collect your royalties and move offshore.

  2. Uh Oh by finkployd · · Score: 4

    Revealing proprietary, trade secrets on a public web site? Let's face it, this is MS, there is no way this is a security hole, they are too "innovative" for that kind of sloppy work to get through. This must be a special "enhancement" they made to the way javascript works, and as such, is covered under the DMCA.

    I'll be it's another letter for you guys :)

    Finkployd

  3. No big deal.. by drwiii · · Score: 5

    I can do that with Netscape too.

    1. Re:No big deal.. by pod · · Score: 4
      Ahh, this looks to be a slashdot specific exploit. It makes slashdot put your loginid and password in the url, and redirects back to the script thus transmitting the referrer.

      It's actually en exploit discussed on CERT where a malicious web site can embed some script in a link to a cgi script, which in turn pastes it into the resulting page unaltered and the victim's browser executes it.

      In this case the script is a bit of javascript that outputs your slashdot cookie via search.pl. All javascript enabled browsers are affected by this.

      It's just a result of sloppy coding.

      --
      "Hot lesbian witches! It's fucking genius!"
  4. Wish I could red the linked article by Mr.+Slippery · · Score: 5

    A bit offtopic...

    While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.

    So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.

    Think of it as evolution in action.

    --
    Tom Swiss | the infamous tms | my blog
    You cannot wash away blood with blood
  5. I am gonna... by GNUs-Not-Good · · Score: 5

    put the Kerberos spec from MS in my cookie file.

    That way they will be responsible for distributing their own trade secrets through their own security holes.

    Then, they can sue themselves.

  6. Proxomitron blocks with without killing JS by Kris_J · · Score: 4

    The default installation of Proxomitron disables this exploit without sacrificing the Javascript functionality needed to enjoy the majority of sites. Cool.

  7. And the paranoids rejoice!! by Sasquach · · Score: 4

    Oh GOSH. Now they have the fake name/address/e-mail I always put on stupid registrations. So let Bob Gobman at 1 Happy St. get all the junk mail destined for me. And let the unfortuneate fellow whos e-mail is bob@bob.bob get all the spam destined for me.

    Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book. And if you are THAT paranoid about common public information, the DON'T POST YOUR REAL DATA!!!

  8. The other problem by G27+Radio · · Score: 4

    I mentioned this yesterday in the Hotmail thread but it kinda got lost in the shuffle. Slashdot should post an article about the "client-side trojans" discussion that is going on at Zope. Slashdot isn't the only site affected by this--and it's a simple hack:

    WARNING: Clicking this link will cause an article to be posted on Slashdot in your name

    Obviously such a link wouldn't need to warn you what is does, or post such an innocuous message. Maybe I could make it post you slashdot cookies to o :)

    You can see the results in sid=numb and there is a link to the source in there too.

    numb

  9. HOWTO Close up the scripting holes by xDroid · · Score: 4


    HowTo turn-off scripting holes in outlook/IE.
    ------------------------------------------
    In outlook/IE,

    tools -> options -> Security -> Zone settings -> Custom level ->

    under the scripting section disable
    Active scripting,
    Allow Paste operations, and
    Scripting of Java applets.

    Press ok till you are back in outlook/IE.

    then you will not be at risk for a copy-cat ILOVEYOU virus or IE cookie monsters.

    (Of course you all probably did this the first day you opened outlook, right.)
    ------------------------------------------

    PS --
    Here is very nice solution to the .vbs email attachment problem.
    (add .txt to the attachment making it a text file)
    I'm not sure how to implement this in Exchange, though.
    (from Rick Johnson off the saclug.org mailing list)

    -- Andy

    --

    * "Uncle this droid is malfunctioning" -- Luke Skywalker
  10. A potential sploit by MoxCamel · · Score: 4

    So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"?

  11. yes by mr_death · · Score: 5
    Just ran a test with my own amazon account. With 1-click turned on in a previous session:

    1. with my cookies, 1-click enabled.

    2. close browser, remove amazon cookies.

    3. open browser, amazon askes me to log in; no 1-click

    4. close browser, put amazon cookies back

    5. open browser, amazon recognizes me, 1-click enabled, no password required.

    Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.

    --
    It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
  12. Microsoft has known about this for months by Marc+Slemko · · Score: 5

    I reported a similar bug to Microsoft on March 19th. My particular example was a URL in the form "http://10.0.0.1%20.msn.com/foo.html" which causes IE to load content from 10.0.0.1 but the Javascript code thinks it is .msn.com; this is a symptom of either the same problem or a very similar one.

    However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.

  13. UNIX _IS_ effected by bjb · · Score: 5
    I don't know how well the tests were performed, but I just tried the test with IE 5 for Solaris and saw my cookie in all its glory.

    Hmm.. I only have IE for Solaris installed on this box for just such occasions.

    --

    --
    Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...