Uh-oh . . . MSIE's cookie jar is public
Mime-Version: 1.0 (NeXT Mail 3.3 v118.2)
From: Peter Langston <psl>
Date: Thu, 11 May 100 14:20:58 -0700
Subject: Uh-oh . . . MSIE's cookie jar is public
X-Lib-of-Cong-ISSN: 1098-7649 -=[ Fun_People ]=-
[If you use Internet Explorer on a PC, this is for you... -psl]
From: Jamie McCarthy
Bennett Haselton has discovered another security flaw. This one allows
any hostile website to read cookies on its visitors' hard drives. It's
being called the "Open Cookie Jar."
Microsoft Internet Explorer, running on Windows and (according to
unconfirmed reports) running on unix as well. The bug does not affect
Netscape's browser, nor the Macintosh version of MSIE.
We have had reports that the bug exists for versions of MSIE from 4.0 to
Internet shopping, of course, is built on cookies, and MSIE running on
Windows is the majority browser. It is unknown the impact this
vulnerability will have, but I would estimate it to be major.
interprets its source URL incorrectly. If that URL has the "/" following
the URL's path is part of the machine name. By inserting ".amazon.com/"
which can then be delivered back to a hostile third-party server.
The third-party server can then use the cookie, at that time or a later
date, even on an ongoing basis, to access information on Amazon's server
which is keyed to the user's cookie. Your name, for example, is readily
determined from your Amazon cookie, as well as your book and music
Amazon is just an example we used for our demonstration. Sometimes, of
course, just having the cookie violates the user's privacy. Many sites
store the user's name, email, zip code, or other personally-identifiable
information unencrypted in the cookie file. With this vulnerability, now
everyone knows you're a dog!
And it's possible, I believe, to build an exploit which can under some
circumstances can use 1-Click-style ordering to deliver someone a thousand
books which they don't want. A denial-of-service on their credit card, if
you will. However, I have not tried to construct a demonstration of such
has profound implications for system security.
Bennett and I broke the story here:
And see also:
© 2000 Peter Langston