MSIE's Cookies Are Public

If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

Or, you could migrate to another browser or operating system...

We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

Newsbytes and CNET have picked up this story and have good writeups.

You too can be a best selling author

Heres How...

1. Write book ( Something catchy and trendy ie. "Whats good for MS is good for America" ).

2. Build a website to promote your book.

3. Scan for BN and Amazon cookies from those who visit your site.

4. Build a LWP Perl script and batch order copies of your book to those fools who visit your site with cookies enabled.

5. Collect your royalties and move offshore.

Uh Oh

Revealing proprietary, trade secrets on a public web site? Let's face it, this is MS, there is no way this is a security hole, they are too "innovative" for that kind of sloppy work to get through. This must be a special "enhancement" they made to the way javascript works, and as such, is covered under the DMCA.

I'll be it's another letter for you guys :)

Finkployd

cookies were NEVER secure

Anyone with a packet sniffer can see your cookies. They are not normally encrypted. Web developers should not be putting sensitive information in cookies or using cookies as the only verification needed for secure tasks, like on-line purchases. Sites like Yahoo are very careful to require a password before letting you edit sensitive data, even if you have a cookie.

With a policy like that, it really doesn't matter if the entire world looks at your cookies.

No big deal..

I can do that [min.net] with Netscape too.

Re:uh, I think yes

Actually the article just says that you can't get to credit card info or other account maintenance things because you are asked to type a password. This is correct. However, if the user has set up one-click on the computer you stole the cookies from, you probably can one-click order stuff. There is no password required for one-click (just "one click"). It's all based on cookies. Of course, whatever you order will be shipped to the victim and not to you, but you'll still run up their credit card bill :(

Re:You could have really abused this by...

You would have earned a place in the annals of Slashdot history.

That's OK. I now have the most active user-created sid in Slashdot history :)

numb

Wish I could red the linked article

A bit offtopic...

While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.

So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.

Think of it as evolution in action.

WRONG!

Did you get a copy of the ILOVEYOU email or attachment? Did you look at the source code? I did. I can tell you for a fact that you had to open the attachment through Windows Scripting Host for it to do ANYTHING! It was a Visual Basic script. Those don't do anything by themselves. I have a copy of it on my HD, and all my jpgs and mp3s are just fine...

Go read the article you posted the link to. All references to ILOVEYOU are *COMPARISONS*.

They quite clearly state: "Email viruses are now spreading WITHOUT THE USER OPENING ANY ATTACHMENT..... This is by far the fastest growing virus distribution problem and ripe for a hugely destructive event - at least as large as the ILOVEYOU virus." They make no claims about ILOVEYOU spreading in this manner. They simply use the havoc-level of ILOVEYOU as a baseline for destructiveness.

The virus they are referring to in this case is the Kak virus.

Eric

I am gonna...

put the Kerberos spec from MS in my cookie file.

That way they will be responsible for distributing their own trade secrets through their own security holes.

Then, they can sue themselves.

Proxomitron blocks with without killing JS

The default installation of Proxomitron [cjb.net] disables this exploit without sacrificing the Javascript functionality needed to enjoy the majority of sites. Cool.

And the paranoids will survive

As was pointed out a lot of sites use cookie to maintain session. Therefore if I can steal the session ID for lets say Amazon I could send you $20000 dollars of books as a joke. That is not funny.

This hole depreciates the value of "Netscape" cookies which is a nice way to maintain session with a connectionless protocol.

And the paranoids rejoice!!

Oh GOSH. Now they have the fake name/address/e-mail I always put on stupid registrations. So let Bob Gobman at 1 Happy St. get all the junk mail destined for me. And let the unfortuneate fellow whos e-mail is bob@bob.bob get all the spam destined for me.

Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book. And if you are THAT paranoid about common public information, the DON'T POST YOUR REAL DATA!!!

The other problem

I mentioned this yesterday in the Hotmail thread but it kinda got lost in the shuffle. Slashdot should post an article about the "client-side trojans" discussion that is going on at Zope. Slashdot isn't the only site affected by this--and it's a simple hack:

WARNING: Clicking this link will cause an article to be posted on Slashdot in your name [sourceforge.net]

Obviously such a link wouldn't need to warn you what is does, or post such an innocuous message. Maybe I could make it post you slashdot cookies to o :)

You can see the results in sid=numb [slashdot.org] and there is a link to the source in there too.

numb

Virtual hosting and other problems for Apache

I noticed this exploit causes problem with Apache as well. This could possibly cause a security hole somewhere :

when I specify a URL like this:

http://www.somewhere.com/test.php3?q=8

apache correctly reports:

"Host: www.somewhere.com"

but when I specify a URL like this:

http://www.somewhere.com%2ftest.php3%3fq=8

apache reports:

"Host: www.somewhere.com/jc/test.php3?q=8"

This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.

But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.

HOWTO Close up the scripting holes

HowTo turn-off scripting holes in outlook/IE.
------------------------------------------
In outlook/IE,

tools -> options -> Security -> Zone settings -> Custom level ->

under the scripting section disable
Active scripting,
Allow Paste operations, and
Scripting of Java applets.

Press ok till you are back in outlook/IE.

then you will not be at risk for a copy-cat ILOVEYOU virus or IE cookie monsters.

(Of course you all probably did this the first day you opened outlook, right.)
------------------------------------------

PS --
Here is very nice solution to the .vbs email attachment problem.
(add .txt to the attachment making it a text file)
I'm not sure how to implement this in Exchange, though.
(from Rick Johnson off the saclug.org mailing list)

-- Andy

A potential sploit

So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"?

yes

Just ran a test with my own amazon account. With 1-click turned on in a previous session:

1. with my cookies, 1-click enabled.

2. close browser, remove amazon cookies.

3. open browser, amazon askes me to log in; no 1-click

4. close browser, put amazon cookies back

5. open browser, amazon recognizes me, 1-click enabled, no password required.

Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.

Re:HOWTO Close up the scripting holes

HowTo turn-off scripting holes in outlook/IE.

Sorry but this does not stop the ILUVYOU virus. What you suggest disables scripts in HTML formatted email and that does stop viruses like Bubbleboy for example. It DOES NOT stop scripts sent as email attachments (ala ILUVYOU, Melissa etc) BIG DIFFERENCE. Many people seem to be having trouble understanding this. Scripts in HTML email are run by the IE script engine and are controlled by the settings in Internet Options. These are the kind of scripts that can run in the preview pane automatically. Email attachment scripts are run by the Windows Scripting Host and are run outside of Outlook (or any other emailer) and have to be run by the user. The way to fix this problem is to either remove the WSH or change the default association for VBS and JS script files.

Microsoft has known about this for months

I reported a similar bug to Microsoft on March 19th. My particular example was a URL in the form "http://10.0.0.1%20.msn.com/foo.html" which causes IE to load content from 10.0.0.1 but the Javascript code thinks it is .msn.com; this is a symptom of either the same problem or a very similar one.

However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.

UNIX _IS_ effected

I don't know how well the tests were performed, but I just tried the test with IE 5 for Solaris and saw my cookie in all its glory.

Hmm.. I only have IE for Solaris installed on this box for just such occasions.

--

Has Peacefire reported this to MS?

If the folks at Peacefire did not reported these problems to Microsoft's Security team, then they are essentially doing a major disservice to the public.

Hopefully, they do know Microsoft's address for reporting security issues: secure@microsoft.com. That address is monitored 24 hours a day and the MS security folks will try to replicate the problem ASAP.

fun with Amazon's One-Click Shopping (tm)

Fun with Amazon's One-Click Shopping, or "you mean you didn't order five hundred copies of Joy of Preteen Sex?"

Doesn't Amazon's proprietary exclusive patented HANDS OFF IT'S OURS AND YOU CAN'T HAVE IT One-Click Shopping system use cookies to save buyers those arduous extra clicks? And doesn't this mean that someone using this exploit can then get your personal buyer's information? ("Your," not "my", at least until Amazon stops suing people right and left.)

Gee, I guess it's a good thing that Amazon has defended their patent so vigorously, or else customers of other companies would be equally at risk.

By the way, this is off-topic, but I figure readers would be amused. Who is to blame for the "ILOVEYOU" worm? Those funloving Filipino folks who wrote it? Microsoft, for making their scripting language so insecure and so easy to subvert? Why no. According to those geniuses [nytimes.com] in Congress, the $15-billion dollars in damages (I wonder why they didn't say "$15-trillion" or $15-quadrillion" as long as they were pulling numbers out of thin air) are due to the slackness and irresponsibility of McAfee, the anti-virus vendor. I've got to be kidding, right? Well, check it out [nytimes.com].

Yours WDK - WKiernan@concentric.net

Re:No big deal..

Ahh, this looks to be a slashdot specific exploit. It makes slashdot put your loginid and password in the url, and redirects back to the script thus transmitting the referrer.

It's actually en exploit discussed on CERT [cert.org] where a malicious web site can embed some script in a link to a cgi script, which in turn pastes it into the resulting page unaltered and the victim's browser executes it.

In this case the script is a bit of javascript that outputs your slashdot cookie via search.pl. All javascript enabled browsers are affected by this.

It's just a result of sloppy coding.