Errrr... IE is dangerous - cookie jacking

[Kym]

http://www.ecommerce-journal.com/new...-cookiejacking

Internet Explorer was found to have a flaw that allows hackers to steal cookies to access their accounts on some websites. The bug was found by a security researcher Rosario Valotta who said it could let hackers steal credentials to access FaceBook, Twitter and other websites.

"Any website. Any cookie. Limit is just your imagination," said Valotta, an independent Internet security researcher based in Italy.

Hackers can exploit the flaw to access a data file stored inside the browser known as a "cookie," which holds the login name and password to a web account, Valotta said via email

As a perpetrator access the cookie they can use it to access the same site concludes Valotta who dubs the technique as "cookiejacking."

The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.

To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked.

While it may sound like a difficult task, Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman.

"I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends."

To paraphrase Yul Brunner... Don't use IE !!

[brindyman]

i havent used ie in about 9 years..i only use it at work cause we have nothing else

[Kym]

http://news.yahoo.com/s/nm/20110525/...oft_security_2

[nixworries]

internet explorer, hackers love it - i would rather firefox anyday

[Tannin]

I recommend Internet Explorer to you all ... but only provided that (a) you live somewhere nearby, and (b) can afford the $80 I'll charge you to remove all the viruses from your infected system and teach you how not to get reinfected. Business is a little slow at the moment and I've got my eye on a new lens, so go right ahead: Internet explorer all the way!

(Also, be sure NOT to update your Flash player, your PDF reader, or Java. Very important, those three. If everyone kept those three up to date I'd probably have to get a real job.)

[Kym]

@Tony... You might need to pay Rick an Advertising fee

[ameerat42]

I have a simple BAT file on the Desktop that clears cookies from their folder in WinXP. I run it soon after starting an internet session, when I remember 2.
Will post with illustration later.
Am.

[ving]

...or just use Opera.

[ameerat42]

Well, I use FireFox, and however good that may be I still delete cookies at least at the end of each session.
And now an apology for previous misinformation...
Deleting Cookies in Win XP
That BAT file was not what I meant.
It's just a dedicated Win Explorer session I use for the Cookies. (The Bat file is for clearing recent docs. I usually run both after internet sessions.)
In Win XP, to get straight to the Cookies "folder" (which only looks like a folder), make up another Windows Explorer icon and change the properties so that it goes straight to where the Cookies are hidden.

To save another 1000 words, here's a pic of it all, which you can expand.
Am.(Again)

[Invictus]

Thanks for the info Kym.

...
To save another 1000 words, here's a pic of it all, which you can expand.
Am.(Again)

Or you could use ccleaner. (freeware)

[ApolloLXII]

I've made my feelings about IE in another thread ("Help us kill IE...." or something like that) known. I don't like it and this business of it being able to be hacked so it will steal cookies just reinforces my utter dislike for it.

I've never tried Opera Ving. Well built ladies screeching in Italian just isn't my thing .

[Tannin]

Cookies are harmless.

Oh yes, they are used to attack Internet Explorer, but name me something that isn't used to attack Internet Explorer.

Seriously people, how many times do the experts have to explain before you get the point? Don't stuff about with pointless cookie tricks that achieve nothing, repeat nothing. Get a better browser!

[ameerat42]

Cookies are harmless.

Oh yes, they are used to attack Internet Explorer, but name me something that isn't used to attack Internet Explorer.

Seriously people, how many times do the experts have to explain before you get the point? Don't stuff about with pointless cookie tricks that achieve nothing, repeat nothing. Get a better browser!

I'll defer to your greater aptitude and count this as the 1st time, Tannin. (Can't speak for the others, though.)
Interesting though, how cookies can be both harmless and yet still attack (even if it's still only poor old) IE.
You'll excuse me if I choose to STAFF about deleting cookies, even though I use Firefox set to delete them anyway. It's just that I end up with a lot of cookies when I start Skype and MSN Messenger.
As a POINT, I tend to delete these and any History before logging off, just as a bit of housekeeping, and just on the off-chance they STAFF anything up.

Well, so far almost nothing has happened, and that's a pretty good trick.


Thanks, Matt. I do, just not every time.

[Tannin]

Interesting though, how cookies can be both harmless and yet still attack (even if it's still only poor old) IE.

Repeat: cookies are harmless. Cookies are not the problem, never have been a problem, and never will be a problem. To quote Wikipedia (because you don't seem to trust my professional expertise) "Cookies are not software. They can't be programmed, can't carry viruses, and can't unleash malware". That was a pretty fair comment.

The problem is Internet Explorer. Explorer has had so many vulnerabilities exposed over the years that a colleague of mine one said "patching Internet Explorer is like trying to mend the holes in a net".

Expending time and ill-informed energy on essentially harmless things like cookies isn't just useless, it is actively counter-productive and harmful, because it distracts attention and care away from the things that actually matter. No-one can devote endless time and energy to computer security, as a matter of simple practicality it is necessary to prioritise between tasks: to elevate the more-or-less useless task of deleting cookies to a routine practice is to demote some other, more important, task.

Test question: what is a LSO or flash cookie?

[ameerat42]

Let's keep it cool, Tannin. Your professional expertise? How am I to know anything about this? Have I missed something important in your 1st reply? Please elucidate if I have, but don't lecture me.
This,

The problem is Internet Explorer. Explorer has had so many vulnerabilities exposed over the years that a colleague of mine one said "patching Internet Explorer is like trying to mend the holes in a net".

has only the weight of an anecdote. And this,

Expending time and ill-informed energy on essentially harmless things like cookies isn't just useless, it is actively counter-productive and harmful, because it distracts attention and care away from the things that actually matter. No-one can devote endless time and energy to computer security, as a matter of simple practicality it is necessary to prioritise between tasks: to elevate the more-or-less useless task of deleting cookies to a routine practice is to demote some other, more important, task.

is just a begged question.

And,

Test question: what is a LSO or flash cookie?

Why just ask me? (I disabled them in the browser on 1st install.)
Am.

[Kym]

@am - Tony runs a PC sales/support business and spends too much time fixing PC problems that in effect were self inflicted by bad user bahavior.
He is probably a bit jaded

Tony is correct in as much as cookies in and of themselves are harmless, with this caveat,
if the cookie contains sensitive information and I can hi-jack the cookie I can get that information.
So a badly implemented system that stores login info or other account information in a cookie allows the hi-jacker to get that information.

[ameerat42]

Tannin, thanks for the info you provided anyway. Am.