An Italian security researcher has discovered a zero-day bug in Microsoft’s Internet Explorer web browser that could allow hackers to steal browser cookies and gain access to user accounts.
Researcher Rosario Valotta claims that the ‘cookiejacking’ vulnerability is present in every version of Internet Explorer on any Windows platform, Cnet reports.
The ‘cookiejacking’ bug could let hackers to steal the cookies stored by the web browser. Cookies generally contain a user’s web browsing information including log-in details for social networking, email and online retail websites.
Valotta, who demonstrated the vulnerability at security conferences in Switzerland and Amsterdam, admitted that hackers would require to do a fair bit of social engineering in order to exploit the bug. This is because they would require users to drag and drop an object on the PC for the cookies to be stolen.
The researcher demonstrated the manner in which he was able to steal Facebook log-in credentials. He created a system on Facebook that required him to drag and drop an object by undressing a photo of a woman.
Given the level of required user interaction, this issue is not one we consider high risk in the way a remote code execution would possibly be to users," Microsoft spokesman Jerry Bryant said in a statement sent to CNET.
"In order to possibly be impacted a user must visit a malicious Web site, be convinced to click and drag items around the page and the attacker would need to target a cookie from the Web site that the user was already logged into," he added.