TECH
05/27/2011 11:56 am ET Updated Jul 27, 2011

Internet Explorer 'Cookiejacking' Security Flaw Discovered

A security researcher has discovered a flaw in Internet Explorer that could allow hackers to steal cookies to log onto password-protected websites, such as Facebook, Twitter, and others.

Rosario Valotta, an Italian security professional, unveiled the attack, which he called "cookiejacking" at a security conference earlier this month. The hack affects all versions of Internet Explorer.

Who's vulnerable? This "cookiejacking" could affect "any website. Any cookie. Limit is just your imagination," said Valotta.

To execute the hack, an attacker would need the user's Windows username. To retrieve it, he would have to trick a user into dragging and dropping an object across the screen before stealing the user's cookie. For example, Valotta created a jigsaw puzzle game on Facebook where users undress a photo of a woman. The hacker would also need to know the user's operating system.

"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he told Reuters. "And I've only got 150 friends."

Microsoft said in an emailed statement that it doesn't consider the hack a "high risk" issue.

"In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into," Microsoft stated. "We encourage all customers to protect themselves against potential issues by avoiding clicking on suspicious links and e-mails, as well as adjusting Internet settings to higher security levels."