From: owner-peacefire-press@iain.com
[mailto:owner-peacefire-press@iain.com]On Behalf Of Bennett
Haselton
Sent: Thursday, May 11, 2000 4:08 PM
To: peacefire-press@iain.com
Subject: (biggest one yet) IE exposes private cookie data
Peacefire has found a way for a Web site to read all cookies
stored by Internet Explorer — including cookies that were never
intended to be visible to a third-party Web page. This has always
been the worst fear of cookie-paranoiacs who worry about cookies
revealing too much information to unauthorized sites, but a way to
do it has never actually been discovered, until now. Our
demonstration site is at:
This has huge implications for any site that relies on cookies to
authenticate users or to store private data. Accounts with HotMail,
Yahoo Mail, and almost every other free email service can be broken
into using this exploit — and none of them can prevent against it
since it’s a browser bug and not a flaw with the web-based mail
services. Amazon.com cookies can be used to discover a person’s
real name, email address, and even the types of products that the
user has purchased from Amazon — all as a result of the user
simply viewing a third-party Web page.
And it’s so simple that for the first time, I can actually
describe the entire trick in the press release: you simply send the
Internet Explorer user to a URL such as the following:
http://www.peacefire.org%2fsecurity%2fiecookies%2fshowcookie.html%3F.amazon.com
which, after replacing the “%2f” codes with “/” and the “%3F” with
“?”, actually translates to:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
but without actual slashes in the URL, Internet Explorer thinks the
page is part of the “amazon.com” domain, and allows JavaScript code
on the page to read your Amazon.com cookie, even though the page is
located on Peacefire.org.
(And after this, together with yesterday’s HotMail backdoor
story, I should probably get an apartment a safer distance away
from Microsoft, which you can see from my window.)
-Bennett
bennett@peacefire.org http://www.peacefire.org
(425) 649 9024
Web Webster has more than 20 years of writing and editorial experience in the tech sector. He’s written and edited news, demand generation, user-focused, and thought leadership content for business software solutions, consumer tech, and Linux Today, he edits and writes for a portfolio of tech industry news and analysis websites including webopedia.com, and DatabaseJournal.com.
LinuxToday is a trusted, contributor-driven news resource supporting all types of Linux users. Our thriving international community engages with us through social media and frequent content contributions aimed at solving problems ranging from personal computing to enterprise-level IT operations. LinuxToday serves as a home for a community that struggles to find comparable information elsewhere on the web.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.