How 'cookiejacking' could steal people's Facebook passwords

Cookiejacking could let hackers compromise Facebook profiles, says a computer security expert. But Microsoft argues cookiejacking isn't a high risk threat.

Cookiejacking could hijack your Facebook log-in credentials.

A new hacking scheme called "cookiejacking" could expose a person's usernames and passwords for Facebook, Twitter, and countless other websites, says Rosario Valotta, an Internet security researcher.

Most websites that require you to log in will save your online credentials as "cookies." These small browser files can contain anything from passwords and site preferences to the contents of an online shopping cart. Cookiejacking, according to Mr. Valotta, lets hackers steal those cookies and get away with your personal information.

"Any website. Any cookie. Limit is just your imagination," Valotta told Reuters.

Cookiejacking only works against people using Internet Explorer, he says. But all versions of the browser, including the latest edition of IE 9, are vulnerable.

There is, however, a very big catch: To access your cookies, a hacker must design a website or game that convinces you to drag an object from one side of the screen to the other. For example, Valotta "built a puzzle that he put up on Facebook in which users are challenged to 'undress' a photo of an attractive woman," reports Reuters. Once players move the digital clothing, they unwittingly trigger the cookiejacking trap.

Valotta says he harvested more than 80 cookies from his 150 Facebook friends in less than three days.

Microsoft says it isn't too concerned about cookiesjacking, according to company spokesmen. A hacker needs to jump through too many hoops for this tactic to be a major threat.

"Given the level of required user interaction, this issue is not one we consider high risk," Microsoft's Jerry Bryant told Reuters. "In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into."

While cookiesjacking goes down as yet another potential exploit against PCs, Mac OS has suddenly come under attack from malware. First Mac Defender and now Mac Guard have tricked Apple users into installing malicious software onto their computers. Check out yesterday's report for more on this Mac malware.

of stories this month > Get unlimited stories
You've read  of  free articles. Subscribe to continue.

Unlimited digital access $11/month.

Get unlimited Monitor journalism.