A computer security researcher from Italy discovered a flaw in Internet Explorer browser which he named as ‘cookiejacking’ which could enable hackers to steal cookies from a PC and then log onto password-protected websites. It could let hackers steal credentials to access Facebook, Twitter and other websites.
The vulnerability affects all versions of Internet Explorer, including IE 9, on every version of the Windows operating system.
To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
According to Rosario Valotta, who invetented the flaw:
“Any website. Any cookie. Limit is just your imagination. Hackers can exploit the flaw to access a data file stored inside the browser known as a “cookie” which holds the login name and password to a web account. Once a hacker has that cookie, he or she can use it to access the same site.”
Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.
Microsoft spokesman said:
“[advt]Given the level of required user interaction, this issue is not one we consider high risk. In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into”.