The attack exploits a vulnerability in the IE security zones feature that allows users to segregate trustworthy websites from those they don't know or don't ever want to access. By embedding a special iframe tag in a malicious website, an attacker can circumvent this cross zone interaction and cause the browser to expose cookies stored on the victim's computer.
To exploit the flaw, the hacker must persuade the victim to drag and drop an object across the PC's screen before the cookie can be hijacked. That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman. "I published this game online on FaceBook and in less than three days, more than 80 cookies were sent to my server," he said. "And I've only got 150 friends." Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam.