Microsoft discovers bugs in the cookie jar
Microsoft Says Flaw in Browser
Offers Access to 'Cookies' Data
By TED BRIDIS
Staff Reporter of THE WALL STREET JOURNAL
Microsoft Corp. acknowledged a flaw in its popular Internet browser that
could let hackers steal "cookies," sensitive files e-commerce sites use to
track and conduct business with customers online.
E-commerce sites routinely deposit cookies
on the computers of Web users in order to do
such things as keep track of their purchases.
Potential privacy problems with cookies have been under investigation by
the Federal Trade Commission, but that inquiry has been limited to their
use by advertising firms to tie information about Web users' buying habits
to their personal identities.
The browser flaw could be more worrisome because it gives hackers
relatively easy access to the sensitive data sometimes contained in and
accessed through cookies, and because it could affect such a large
group-those who use the two most recent versions of Microsoft's Web
browser, roughly two-thirds of Web users.
"It's definitely a vulnerability," said Steve Culp, a top security official at
Microsoft, Redmond, Wash., which has vowed to repair the problem
soon.
While industry standards recommend that no sensitive information be
recorded in cookie files, some Web sites include such things as customer
names and site-specific passwords. Thus the flaw can be exploited not
only to view personal information used with e-commerce sites, such as
names and product preferences, but to access such things as Web-based
e-mail accounts and details about past Web browsing, according to private
computer experts who discovered the vulnerability. They were studying
whether the flaw might allow hackers to make online purchases with
customers' credit-card information stored on some sites.
The flaw was discovered by Bennett Haselton, a 21-year-old activist
against Internet censorship, who found that Microsoft's Explorer software
can be tricked into granting a hacker permission to view the contents of
any cookie on a victim's computer. Gaining such access involves coding
embedded in a Web address that deceives a user's browser into
responding as if the request for the cookie came from an authorized Web
site. |
