From: sozmen (sozmen@zk3.dec.com)
Date: Thu 11 May 2000 - 21:00:20 EEST
Any Web site that uses cookies to authenticate users or store private
information -- including Amazon.com, HotMail, Yahoo Mail,
DoubleClick, MP3.com, NYTimes.com, and thousands of others -- could have
cookies exposed by Internet Explorer and intercepted by a
third-party Web site.
How it works
Using a specially constructed URL, a Web site can read Internet Explorer
cookies set from any domain. For example, to read a user's
Amazon.com cookie, a site could direct the user's browser to:
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
If you replace the "%2f"'s with "/" characters, and the "%3F" with "?",
this URL is actually:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
But IE gets confused and thinks the page is located in the Amazon.com
domain, so it allows the page to read the user's Amazon.com
cookie.
Affected:
Internet Explorer (all known versions) for Windows 95, 98 and NT. IE for
the Macintosh and IE for UNIX do not appear to be affected, and
no version of Netscape Navigator or any other browser is vulnerable.
Workaround:
If you are using Internet Explorer for Windows, the safest workaround is to
disable JavaScript. Apparently when the browser loads one of
these "funny" URL's like
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
the Amazon.com cookie is only available to JavaScript code on the page; it
is not submitted to the server in an HTTP header. Also, if you
have Netscape's browser installed, it is not affected by the bug.
Implications
Jamie McCarthy came up with a list of cookies set by various sites that
could be used to retrieve sensitive information:
By intercepting a cookie set by HotMail, Yahoo Mail or any other free
Web-based email sites that use cookies for authentication,
the operator of a hostile Web site could break into a visitor's
HotMail account and read the contents of their Inbox. (HotMail
cookies do not contain user passwords, but they do allow a third party
to access a user's HotMail account for as long as that user
stays logged in, since each separate login generates a new cookie.)
A user's Amazon.com cookie could be used to visit Amazon.com
impersonating that user, and access their real name, email
address, and the user's list of "recommended titles" -- which can be
used to determine what types of books or CD's the user has
purchased from Amazon in the past. (You cannot, however, access the
user's credit card number or their actual list of previous
Amazon.com orders, since accessing this information requires a
password that is not contained in the cookie.)
A user's MP3.com cookie stores their email address.
A user's NYTimes.com cookie stores their NYTimes.com password. This
isn't useful by itself, since the password is only needed to
browse articles on NYTimes.com, but exposing this password is still
dangerous since users might have the same password set up
for several different sites.
A user's Hollywood.com cookie stores their city, state, and zip code.
A user's Playboy.com cookie stores the fact that the user has visited
Playboy.com -- which not every Playboy visitor would want
the whole world to know. (Yeah, we know, you just wanted to read the
Jesse Ventura interview.)
Daha ayrintili bilgi icin bkz:
http://www.peacefire.org/security/iecookies/
Listeden cikmak icin:
unsub linux
mesajini listeci@bilkent.edu.tr'a gonderiniz.
Lutfen Listeci icin MIME / HTML / Turkce Aksan kullanmayin.
Liste arsivinin adresi: http://listweb.bilkent.edu.tr/
This archive was generated by hypermail 2b29 : Thu 11 May 2000 - 21:00:32 EEST