IE ‘Cookiejacking’ - Microsoft downplays the threat

Issue is not high risk: Microsoft
According to various sources, Microsoft, in a statement, has downplayed the threat and believes that the users are unlikely to face any impact due to the level of complication in the process.

Microsoft spokesman, Jerry Bryant said, "Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users."

He added, "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and email, as well as adjusting Internet settings to higher security levels."

Researcher Rosario Valotta, who discovered the vulnerability, demonstrated the findings at security conferences in Switzerland and Amsterdam, which he also explained on his blog.

According to Valotta, the technique exploits a zero-day bug that exists in every IE version on every Windows operating system (OS).

However, Valotta acknowledged that using the flaw to steal information would require the hacker to employ advance ‘click-jacking’ technique, where the user would have to be tricked to drag and drop the cookie.

Exploiting the bug
Cookies store information like username, password, and user's browsing history, which is mainly used by websites to identify the user.

Valotta showed his drag and drop technique with a Facebook game that allowed a user to drag clothes off the picture of a woman, which gave him access to the user’s Facebook details.

Valotta stated, "I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server."

"And I've only got 150 friends," said Valotta, who believes that the technique could be used to get any information from web mail to online baking details.