Bug hunters find 'cookie' hole in IE

Personal information can be had if the victim uses Internet Explorer and clicks on a disguised string of JavaScript code. MS says a patch is coming.

Computer bug-hunters have pointed out a way to snare personal information from a "cookie" file if the victim uses Microsoft Internet Explorer and clicks on a disguised string of JavaScript code. Microsoft said it was working on a patch for the security hole.

The potential vulnerability was reported Thursday by Bennett Haselton and Jamie McCarthy on the Peacefire.org Web site. Haselton, who organized Peacefire as an anti-censorship group for young people, has worked on methods to circumvent content-blocking software in the past. More recently, he has pointed out a series of Web-based vulnerabilities involving Hotmail e-mail accounts as well as Microsoft and Netscape browsers. (Microsoft, which operates Hotmail, is a partner in MSNBC.)

This glitch involves the way Microsoft Internet Explorer interprets Web addresses, known as uniform resource locators or URLs, for providing access to cookie information. Cookies are short text files stored on your computer that contain data on preferences or perhaps even passwords for particular Web sites.

Here's how the cookie-stealing technique works, as explained by Haselton: When a user connects with a Web site, the browser looks at the address you type in (for example, www.amazon.com) to determine whether it should provide access to a particular cookie. In this example, the Amazon.com Web server would be given access to the Amazon.com cookie.

Haselton constructed a JavaScript program to demonstrate how Internet Explorer could be fooled into thinking that it was opening access to cookie information for a particular site, when it was actually allowing the cookie to be sent to the Peacefire.org server.

He replaced the slashes and a question mark in a long Internet address with an alternate string of hexadecimal characters - such as "%2f" and "%3F." Those characters were interpreted in such a way that the browser connected with Peacefire's site, but opened access to another specified site's cookies. (Click here for the full explanation from Peacefire.) A user would have to be coaxed into clicking on a button or a link that would activate the cookie-stealing code.

Haselton acknowledged that cookies don't generally store a user's most sensitive personal information, such as credit card numbers. However, some free e-mail sites such as Hotmail and Yahoo! use cookies to authenticate users if they were already logged in to the sites.

"You could gain access to their account until the next time that they log out," Haselton told MSNBC.com. When the user logs out, that clears the cookie file.

Cookies are also used by e-commerce sites to keep track of a user's "shopping cart." Amazon.com's cookie could provide information about a person's taste in reading material, although the user's actual purchases are not recorded in the cookie, Haselton said.

A determined break-in artist could harvest information from cookies for sites such as NYTimes.com, decipher the usernames and passwords, then try using that same login information at other Web sites, he said.

There was no sign Thursday that the technique was being used "in the wild" for malicious purposes. The vulnerability was found in Internet Explorer for Windows 95, 98 and NT, but not in the version of the Microsoft browser for Macintosh or Unix.

Microsoft said that the security hole could cause trouble, but that there were ways to avoid problems.

"Microsoft is committed to protecting customers' information," the company said in a statement, "and we are developing a patch that eliminates a security vulnerability involving the handling of cookies by IE. We expect to deliver the patch shortly. A security bulletin will be published at http://www.microsoft.com/technet/security/default.asp to discuss the issue and advise customers how to obtain and apply the patch."

The company pointed out that "customers who have used the IE Security Zones feature to disable Active Scripting on sites they don't trust could not be affected by this vulnerability."

Haselton and McCarthy advised Internet Explorer users to disable JavaScript until the fix was in. A spokeswoman for Microsoft said the company had no comment on that advice.

Concerns about online security have taken a higher profile since this month's worldwide distribution of the "Love" bug e-mail worm.