Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

MSIE's cookie jar is public

From: Jamie McCarthy <jamie () MCCARTHY ORG>
Date: Thu, 11 May 2000 17:00:21 -0400
Bennett Haselton has discovered another security flaw.  This one
allows any hostile website to read cookies on its visitors' hard
drives.  It's being called the "Open Cookie Jar."

The vulnerability is due to a bug in the Javascript implementation of
Microsoft Internet Explorer, running on Windows and (according to
unconfirmed reports) running on unix as well.  The bug does not affect
Netscape's browser, nor the Macintosh version of MSIE.

We have had reports that the bug exists for versions of MSIE from 4.0
to 5.5beta.

The workaround is to turn Javascript off in MSIE - or to switch to a
different browser.

Internet shopping, of course, is built on cookies, and MSIE running on
Windows is the majority browser.  It is unknown the impact this
vulnerability will have, but I would estimate it to be major.

Essentially the problem is that MSIE's Javascript function
"document.cookie" interprets its source URL incorrectly.  If that URL
has the "/" following the domain name replaced with its hex encoding
of "%2f", Javascript believes the URL's path is part of the machine
name.  By inserting ".amazon.com/" later in the path, Javascript is
fooled into exposing Amazon's cookie - which can then be delivered
back to a hostile third-party server.

The third-party server can then use the cookie, at that time or a
later date, even on an ongoing basis, to access information on
Amazon's server which is keyed to the user's cookie.  Your name,
for example, is readily determined from your Amazon cookie, as well
as your book and music recommendations.

Amazon is just an example we used for our demonstration.  Sometimes,
of course, just having the cookie violates the user's privacy.  Many
sites store the user's name, email, zip code, or other
personally-identifiable information unencrypted in the cookie file.
With this vulnerability, now everyone knows you're a dog!

And it's possible, I believe, to build an exploit which can under some
circumstances can use 1-Click-style ordering to deliver someone a
thousand books which they don't want.  A denial-of-service on their
credit card, if you will.  However, I have not tried to construct a
demonstration of such an exploit.  Still, everyone should be aware
that using Javascript on MSIE has profound implications for system
security.

Bennett and I broke the story here:

http://peacefire.org/security/iecookies/
http://slashdot.org/article.pl?sid=00/05/11/173257

And see also:

http://www.newsbytes.com/pubNews/00/148908.html
http://news.cnet.com/news/0-1005-200-1857707.html
--
        Jamie McCarthy
        jamie () mccarthy org
 http://jamie.mccarthy.org/

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".
Previous By Date Next
Previous By Thread Next

Current thread: