A researcher dealing with online security has developed a method that tenuously compromises digital credentials needed to access accounts on Facebook and other websites by utilizing a glitch in Microsoft's Internet Explorer (IE) browser, a report The Register said.
Rosario Valotta, the researcher, explained the concept he calls ‘cookiejacking’, at the Hack in the Box security conference in Amsterdam.
The concept uses an error present in all present versions of IE to steal session-to-session cookies that websites create once a user has logged in through a valid username and password. The cookie performs as a digital credential which allows the user to access a specific account.
Valotta said the process primarily targets cookies created by Facebook, Twitter and Google Mail, but the procedure can be used on almost any website and can affect all versions of Windows.
He added that by implanting a special tag, called iframe, the hacker can easily evade the cross zone connections and can force the browser to expose cookies stored on the user's computer. However, the attacker will have to know where the cookies are stored in the hard drive as it can be different in different versions of the Windows and the person’s username in Windows before he can implement the procedure.
Valotta said before he could carry on with his experiment he alerted the Microsoft security team in January and the company will be sending updates to fix the problem in June and August.