An opening to steal your cookies Microsoft works to close security gap in Internet Explorer

A client-side demonstration from Peacefire shows how tinkering with a Web address could provide a method for harvesting a "cookie" from someone else - if that person were to click on a cleverly crafted Internet link. By Alan Boyle MSNBC May 11  Computer bug-hunters have pointed out a way to snare personal information from a cookie file if the victim uses Microsoft Internet Explorer and clicks on a disguised string of JavaScript code. Microsoft said it was working on a patch for the security hole.

THE POTENTIAL vulnerability was reported Thursday by Bennett Haselton and Jamie McCarthy on the Peacefire.org Web site. Haselton, who organized Peacefire as an anti-censorship group for young people, has worked on methods to circumvent content-blocking software in the past. More recently, he has pointed out a series of Web-based vulnerabilities involving Hotmail e-mail accounts as well as Microsoft and Netscape browsers. (Microsoft, which operates Hotmail, is a partner in MSNBC.)

This glitch involves the way Microsoft Internet Explorer interprets Web addresses, known as uniform resource locators, or URLs, for providing access to cookie information. Cookies are short text files stored on your computer that contain data on preferences or perhaps even passwords for particular Web sites.

Heres how the cookie-stealing technique works, as explained by Haselton: When a user connects with a Web site, the browser looks at the address you type in (for example, www.amazon.com) to determine whether it should provide access to a particular cookie. In this example, the Amazon.com Web server would be given access to the Amazon.com cookie. Haselton constructed a JavaScript program to demonstrate how Internet Explorer could be fooled into thinking that it was opening access to cookie information for a particular site, when it was actually allowing the cookie to be sent to the Peacefire.org server.

He replaced the slashes and a question mark in a long Internet address with an alternate string of hexadecimal characters  such as %2f and %3F. Those characters were interpreted in such a way that the browser connected with Peacefires site, but opened access to another specified sites cookies. (Click here for the full explanation and a client-side demonstration from Peacefire.) A user would have to be coaxed into clicking on a button or a link that would activate the cookie-stealing code.

Haselton acknowledged that cookies dont generally store a users most sensitive personal information, such as credit card numbers. However, some free e-mail sites such as Hotmail and Yahoo use cookies to authenticate users if they were already logged in to the sites. You could gain access to their account until the next time that they log out, Haselton told MSNBC.com. When the user logs out, that clears the cookie file. Cookies are also used by e-commerce sites to keep track of a users shopping cart. Amazon.coms cookie could provide information about a persons taste in reading material, although the users actual purchase are not recorded in the cookie, Haselton said. A determined break-in artist could harvest information from cookies, try to decipher usernames and passwords, then try using that same login information at other Web sites, he said.

There was no sign Thursday that the technique was being used in the wild for malicious purposes. Haselton and McCarthy said they found the security hole in Internet Explorer for Windows 95, 98 and NT, and other users reported that it affected IE for Windows 2000 and Unix as well.

In a statement, Microsoft acknowledged that the vulnerability could allow a malicious Web site to read, change or delete cookies that belong to another web site. But Scott Culp, a program manager for the Microsoft Security Response Center, said the company was working on a patch that would close the security hole.

A bulletin explaining the issue and providing access to the patch would be posted on the companys Web site, he said. On Thursday, Culp couldnt predict when the patch would be completed and tested.

Haselton and McCarthy advised Internet Explorer users to disable JavaScript until the fix was in. Culp had a more specific prescription: Customers who are concerned about the issue can protect themselves by turning off active scripting in the Internet Security Zone.

The security zones, found under Tools/Internet Options, specify levels of functionality for different categories of sites. Trusted Web sites  well-known, well-administered sites that arent going to do something malicious to a user  could be subject to lighter security than unfamiliar Web sites, he said.

Worries about online security have taken a higher profile since this months worldwide distribution of the Love Bug e-mail worm  and privacy advocates have raised concerns about the use of cookies long before the Love Bug hit.

Culp said normal security practices include the recommendation that cookies should not contain such things as passwords or financial information. If thats been followed, theres no sensitive information to be gained, even by getting a cookie, he said.

http://www.msnbc.com/news/406496.asp#BODY

-- Martin Thompson (mthom1927@aol.com), May 12, 2000