I thaught the cookie spec
said that the cookie could only be sent back to a machine on the same domain that issued the cookie, or am I missing something here?
A security researcher has devised an attack that remotely steals digital credentials used to access user accounts on Facebook and other websites by exploiting a flaw in Microsoft's Internet Explorer browser. Independent researcher Rosario Valotta demonstrated his “cookiejacking” proof of concept last week at the Hack in the Box …
local file access. Yes, explorer (or rather, javascript running in it) can access local files and system's activex controls - when it's running in a certain "trust context". Somewhat like Firefox's plugins are allowed stuff forbidden for regular webpage script. Except in IE they did it... well... the usual.
XSS with details. I'm going to have to call "meh" on it, though I acknowledge that these folks worked very hard to find this series of wrinkles.
To rephrase; is it likely that present-day security tools that cover XSS will also cover this? Also, if these websites set the secure cookie flag (SSL only, matching domain, if I recall correctly), does that eliminate this attack? I have never understood why these sites use SSL at the login, but never anytime after. A simple Ettercap bit of fun is all that is needed to grab the session cookie (unless it's SSL; then you have to terminate on the user side, and re-encrypt going out the other way).
Whatever...
All you really need to do is make the interaction look like some kind of browser game and you'll get a number of people doing it and falling foul of the attack. Remember that getting a user to do something with the promise of a reward isn't new in terms of attack vectors; I seem to recall a Kournikova attack in an encrypted zip file. Because the file was password protected, the mail relay virus scanners couldn't scan it but people would still jump through the hoops in the expectation of some nude pics.