Fun_People Archive
11 May
Uh-oh . . . MSIE's cookie jar is public


Content-Type: text/plain
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Thu, 11 May 100 14:20:58 -0700
To: Fun_People
Precedence: bulk
Subject: Uh-oh . . . MSIE's cookie jar is public

X-Lib-of-Cong-ISSN: 1098-7649  -=[ Fun_People ]=-
X-http://www.langston.com/psl-bin/Fun_People.cgi

[If you use Internet Explorer on a PC, this is for you...  -psl]

From: Jamie McCarthy

Bennett Haselton has discovered another security flaw.  This one allows
any hostile website to read cookies on its visitors' hard drives.  It's
being called the "Open Cookie Jar."

The vulnerability is due to a bug in the Javascript implementation of
Microsoft Internet Explorer, running on Windows and (according to
unconfirmed reports) running on unix as well.  The bug does not affect
Netscape's browser, nor the Macintosh version of MSIE.

We have had reports that the bug exists for versions of MSIE from 4.0 to
5.5beta.

The workaround is to turn Javascript off in MSIE - or to switch to a
different browser.

Internet shopping, of course, is built on cookies, and MSIE running on
Windows is the majority browser.  It is unknown the impact this
vulnerability will have, but I would estimate it to be major.

Essentially the problem is that MSIE's Javascript function "document.cookie"
interprets its source URL incorrectly.  If that URL has the "/" following
the domain name replaced with its hex encoding of "%2f", Javascript believes
the URL's path is part of the machine name.  By inserting ".amazon.com/"
later in the path, Javascript is fooled into exposing Amazon's cookie -
which can then be delivered back to a hostile third-party server.

The third-party server can then use the cookie, at that time or a later
date, even on an ongoing basis, to access information on Amazon's server
which is keyed to the user's cookie.  Your name, for example, is readily
determined from your Amazon cookie, as well as your book and music
recommendations.

Amazon is just an example we used for our demonstration.  Sometimes, of
course, just having the cookie violates the user's privacy.  Many sites
store the user's name, email, zip code, or other personally-identifiable
information unencrypted in the cookie file.  With this vulnerability, now
everyone knows you're a dog!

And it's possible, I believe, to build an exploit which can under some
circumstances can use 1-Click-style ordering to deliver someone a thousand
books which they don't want.  A denial-of-service on their credit card, if
you will.  However, I have not tried to construct a demonstration of such
an exploit.  Still, everyone should be aware that using Javascript on MSIE
has profound implications for system security.

Bennett and I broke the story here:

http://peacefire.org/security/iecookies/
http://slashdot.org/article.pl?sid=00/05/11/173257

And see also:

http://www.newsbytes.com/pubNews/00/148908.html
http://news.cnet.com/news/0-1005-200-1857707.html
--
        Jamie McCarthy
        jamie@mccarthy.org
 http://jamie.mccarthy.org/


prev [=] prev © 2000 Peter Langston []