14 DAY TRIAL // A zero-day vulnerability affecting every Internet Explorer version allows attackers to execute a clickjacking-like attack in order to steal session cookies.
The attack, dubbed cookiejacking, was disclosed last week by independent security researcher Rosario Valotta at the Hack in the Box 2011 security conference in Amsterdam.
The attack is not straight-forward to pull off and combines several techniques including a fair bit of social engineering, however, if done properly it can prove very effective.
The IE bug consists of the browser loading a cookie's content if the corresponding file is served as src for an IFrame.
However, since the cookie path is dependent on the Windows user, the attacker needs to determine this value. Mr. Valotta describes a web-based method that tricks the browser into revealing the victim's username.
The version of the operating system also needs to also be determined, because cookies are stored in different locations on different Windows flavours. This can be done by analyzing the navigator.userAgent object.
However, loading a cookie, which is basically a text file, inside an IFrame does not allow the attacker to actually read it, because of restrictions built in the browser.
To bypass this, the attacker need to trick the victim into handing the cookie content to them. This implies them selecting the text and pasting it inside an attacker-controlled container.
Obviously this would look very suspicious, so attackers needs to use clickjacking techniques to hide what is going on. In Valotta's example, he hid the rogue actions with a simple game where the user needs to drag a ball through a basketball hoop.
Because all Internet Explorer versions on all versions of Windows are affected, Valotta warns that the pool of potential victims is huge. Also, there are not many defenses against clickjacking techniques in IE.
Watch a demo of the attack:
Softpedia.com was an official media partner at HITBSecConf 2011 Amsterdam.