Rosario Valotta, an independent internet security researcher based in Italy, has dubbed the technique “cookiejacking” although we would have thought Biscotti jacking would be more Italian.
He said that it is possible to hack any website, and any cookie. The limit is just your imagination.
Valotta told Reuters that hackers access the browser cookie, which holds the login name and password to a web account.
Once a hacker has that cookie, he or she can use it to access the same site, said Valotta. The vulnerability affects all versions of Internet Exploder including the new one.
It does require a bit of social engineering for the hack to work. The hacker must persuade the victim to drag and drop an object across the PC’s screen before the cookie can be hijacked.
To get around this problem Valotta built a puzzle that he put up on Facebook in which users are challenged to “undress” a photo of an attractive woman.
Valotta stuck the puzzle on Facebook and within less than three days, more than 80 cookies were sent to the server. He pointed out that he only had 150 friends. We guess he would have 80 less now.
However, Vole insists that there is little risk a hacker could succeed in a real-world cookiejacking scam because of the high risk of user interaction required.
The user would have to visit a malicious website, be convinced to click and drag items around the page and the hacker would get a cookie which logged them into the… er, malicious website.