The title up there is not a typo. An independent researcher has found a way to grab your log-in credentials when you use any version of Internet Explorer (yes, that includes IE 9). “Any website. Any cookie. Limit is just your imagination,” said Mr Rosario Valotta, an independent Internet security researcher based in Italy. The flaw allows hackers to grab your cookies, basically packets of data that has your log-in credentials. The spoof requires a fair amount of finagling on the hacker’s part, because it only works when the victim drags and drops an object across the PC’s screen. Mr. Valotta maintains that it’s fairly easy to do, and to prove this, he’s made a Facebook app that n which users are challenged to “undress” a photo of an attractive woman. “I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server,” he said. “And I’ve only got 150 friends.” Microsoft said there is little risk a hacker could succeed in a real-world cookiejacking scam. “Given the level of required user interaction, this issue is not one we consider high risk,” said Microsoft spokesman Jerry Bryant. “In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into.” Sure Microsoft, because people rarely get duped into scams like that in sites, oh say like Facebook.
Source: Today