Linux Today: Linux News On Internet Time.
Search Linux Today
Linux News Sections: Developer - High Performance - Infrastructure - IT Management - Security - Storage -
Linux Today Navigation
LT Home
Contribute
Contribute
Link to Us
Linux Jobs

Partner Sites
JustLinux.com
Linux Planet
PHPBuilder
Technology Jobs

Top White Papers

Current Newswire:

More on LinuxToday

Applications Management Engineer Sr (NYC)
Next Step Systems
US-NY-New York

Justtechjobs.com Post A Job | Post A Resume

Peacefire.org: IE exposes private cookie data

May 12, 2000, 00:34 (1 Talkback[s])
(Other stories by Bennett Haselton)

From: owner-peacefire-press@iain.com
[mailto:owner-peacefire-press@iain.com]On Behalf Of Bennett Haselton
Sent: Thursday, May 11, 2000 4:08 PM
To: peacefire-press@iain.com
Subject: (biggest one yet) IE exposes private cookie data

Peacefire has found a way for a Web site to read all cookies stored by Internet Explorer -- including cookies that were never intended to be visible to a third-party Web page. This has always been the worst fear of cookie-paranoiacs who worry about cookies revealing too much information to unauthorized sites, but a way to do it has never actually been discovered, until now. Our demonstration site is at:

http://www.peacefire.org/security/iecookies/
This has huge implications for any site that relies on cookies to authenticate users or to store private data. Accounts with HotMail, Yahoo Mail, and almost every other free email service can be broken into using this exploit -- and none of them can prevent against it since it's a browser bug and not a flaw with the web-based mail services. Amazon.com cookies can be used to discover a person's real name, email address, and even the types of products that the user has purchased from Amazon -- all as a result of the user simply viewing a third-party Web page.

And it's so simple that for the first time, I can actually describe the entire trick in the press release: you simply send the Internet Explorer user to a URL such as the following:

http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
which, after replacing the "%2f" codes with "/" and the "%3F" with "?", actually translates to:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
but without actual slashes in the URL, Internet Explorer thinks the page is part of the "amazon.com" domain, and allows JavaScript code on the page to read your Amazon.com cookie, even though the page is located on Peacefire.org.

(And after this, together with yesterday's HotMail backdoor story, I should probably get an apartment a safer distance away from Microsoft, which you can see from my window.)

        -Bennett

bennett@peacefire.org     http://www.peacefire.org
(425) 649 9024