Google Blogoscoped

Wednesday, June 6, 2007

IE Vulnerability Allows Cookie Stealing

A security flaw in fully patched versions of Internet Explorer 6 and 7 allows an abusive site to override the so-called “same-domain origin policy.” What this means is that, for instance, the attacker can grab your Google cookie if only you’re lured onto their web page and you’re signed-in to Google, which can result in more of your Google data being exposed (without any fault on Google’s side – this can happen with any cookie or website, as it’s a browser bug).

Michal Zalewski, who discovered the bug and publicized a vulnerability demo (you need to log-in to Google Poland to check this, but I suggest you don’t try with your real/ main account), explains the specifics:

[W]hen Javascript code instructs MSIE to navigate away from a page that meets same-domain origin policy (and hence can be scriptually accessed and modified by the attacker) to an unrelated third-party site, there is a window of opportunity for concurrently executed Javascript to perform actions with the permissions for the old page, but actual content for the newly loaded page, for example: read or set victim.document.cookie, arbitrarily alter document DOM, including changing form submission URLs, injecting code, or even crashing the browser due to memory corruption while reading and writing not fully initialized data structures.

The demo worked for me, though this vulnerability cannot always be utilized (it depends on your connection details). But if it does, as Michal continues, “the entire security model of the browser collapses like a house of cards and renders you vulnerable to a plethora of nasty attacks.”

Even though this is still unpatched for the browsers in question, the security vulnerability has already made it to places like Digg or ZDNet. Microsoft is investigating, and if you want to be one the safe side, don’t use IE, or don’t visit untrusted sites until it’s fixed.


Blog  |  Forum     more >> Archive | Feed | Google's blogs | About


This site unofficially covers Google™ and more with some rights reserved. Join our forum!