Slashdot Mirror
MSIE's Cookies Are Public
Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.
Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.
Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.
Or, you could migrate to another browser or operating system...
We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.
After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."
Newsbytes and CNET have picked up this story and have good writeups.
I can do that with Netscape too.
A bit offtopic...
While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.
So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.
Think of it as evolution in action.
Tom Swiss | the infamous tms | my blog
You cannot wash away blood with blood
put the Kerberos spec from MS in my cookie file.
That way they will be responsible for distributing their own trade secrets through their own security holes.
Then, they can sue themselves.
1. with my cookies, 1-click enabled.
2. close browser, remove amazon cookies.
3. open browser, amazon askes me to log in; no 1-click
4. close browser, put amazon cookies back
5. open browser, amazon recognizes me, 1-click enabled, no password required.
Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.
It's Linux, damnit! Pay no attention to renaming attempts by self-aggrandizing blowhards.
I reported a similar bug to Microsoft on March 19th. My particular example was a URL in the form "http://10.0.0.1%20.msn.com/foo.html" which causes IE to load content from 10.0.0.1 but the Javascript code thinks it is .msn.com; this is a symptom of either the same problem or a very similar one.
However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.
Hmm.. I only have IE for Solaris installed on this box for just such occasions.
--
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...