Peacefire.org Youth against Internet censorship "It's not a crime to be smarter than your parents." |
Bennett Haselton, bennett@peacefire.org
Jamie McCarthy, jamie@mccarthy.vg
5/11/2000
News sightings:
Wall Street Journal |
NYTimes
(Note) |
CNNfn |
Slashdot |
CNet |
Internet News Radio |
Newsbytes
MSNBC |
ComputerWorld |
National Post |
WebDeveloper.com
See also:
JavaScript-in-cookies security hole (4/19/00)
C-Net |
ZDNet |
NTSecurity |
MSNBC
Eudora "stealth attachment" demo page (4/27/00)
C-Net |
ZDNet |
Newsbytes |
The Register
Internet Explorer "local JavaScript" security hole (5/5/00)
C-Net |
NewsBytes
"Fake mail form" security hole for Web-based email sites (5/9/00)
C-Net |
CNN.com
HotMail Attachment security hole (5/10/00)
Wired |
ZDNet |
Slashdot |
MSNBC |
CNN.com
Any Web site that uses cookies to authenticate users or store private information -- including Amazon.com, HotMail, Yahoo Mail, DoubleClick, MP3.com, NYTimes.com, and thousands of others -- could have cookies exposed by Internet Explorer and intercepted by a third-party Web site.
Update 5/18/2000: Microsoft has released a patch that will fix
this vulnerability in Internet Explorer:
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
If you have Internet Explorer for Windows, type a domain (e.g. "yahoo.com"
or "hotmail.msn.com") in the space below, and click to view a page on
Peacefire.org that will display your cookie for that domain: (You must click the button to submit the domain name -- hitting Enter will not work) |
Pascal Gaudette reported
that the same scheme will work for HTTPS cookies as long as the
server referenced by the "malformed URL" is HTTPS-enabled. You
can use this form to read HTTPS cookies (enter a domain name
and press the button): (You must click the button to submit the domain name -- hitting Enter will not work) |
How it works
Using a specially constructed URL, a Web site can read Internet
Explorer cookies set from any domain. For example, to read a user's
Amazon.com cookie, a site could direct the user's browser to:
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
If you replace the "%2f"'s with "/" characters, and the "%3F" with "?",
this URL is actually:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
But IE gets confused and thinks the page is located in the Amazon.com
domain, so it allows the page to read the user's Amazon.com cookie.
Affected:
Internet Explorer (all known versions) for Windows 95, 98, NT, and
2000.
IE for the Macintosh does not appear to be affected. Users have
reported that IE versions for Solaris and HP/UX are
vulnerable, but IE's browser share on UNIX platforms is much lower.
No version of Netscape Navigator or any browser other than
Internet Explorer appears to be vulnerable.
Workaround:
As of 5/18/2000, Microsoft has released a patch that fixes this
problem:
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
If you do not want to download the patch, the safest workaround
is to disable cookies. You can do this by going to
Tools->Internet Options->Security
and click the button to customize security settings, and set
cookies to "disable". (Note that this will cause some sites
such as HotMail to break.)
Also,
if you have Netscape's browser installed, it is not affected by
the bug.
Implications
Jamie McCarthy came up with a list of cookies set by various
sites that could be used to retrieve sensitive information: