Thanks Sleeper for sending this in :D
An independent network security researcher has uncovered a new way to steal the secret browser "cookies" of Web surfers with the help of Internet servers that were never intended to communicate with browser software.
The exploit, described by a researcher who uses the handle "Obscure" and posted on the Eye On Security Web (EOS) site, relies on common Internet server software other than Web servers that can "echo" hijacked submissions from HTML forms.
In a demonstration of the exploit, which Obscure calls the Extended HTML Form Attack, a POP3 (post office protocol) e-mail server at Ebay was used to divulge the browser cookies of users who had visited the auction giant's Web site.
As delivered by some Web sites, browser cookies may contain such private information as user IDs and passwords.
An EOS paper on the vulnerability says the Extended HTML Form Attack appears to work on recent releases of browsers from Microsoft and Opera.
The exploit gets its name from the HTML Form Protocol Attack described last summer by computer programmer Jochen Topf, who discovered that malicious hackers could wield seemingly ordinary- looking Web pages to send commands to servers behind such barriers as corporate firewalls.
Topf found that some popular Web browsers didn't complain when data submitted through otherwise ordinary Web forms was directed at TCP (transport control protocol) ports associated with such services as e-mail - simple mail transfer protocol (SMTP) and POP3 - Internet relay chat (IRC), the file transfer protocol (FTP) and newsgroups (NNTP).
News source: TechNews - New Twist On Web-Forms Hack Scarfs Browser Cookies
An independent network security researcher has uncovered a new way to steal the secret browser "cookies" of Web surfers with the help of Internet servers that were never intended to communicate with browser software.
The exploit, described by a researcher who uses the handle "Obscure" and posted on the Eye On Security Web (EOS) site, relies on common Internet server software other than Web servers that can "echo" hijacked submissions from HTML forms.
In a demonstration of the exploit, which Obscure calls the Extended HTML Form Attack, a POP3 (post office protocol) e-mail server at Ebay was used to divulge the browser cookies of users who had visited the auction giant's Web site.
As delivered by some Web sites, browser cookies may contain such private information as user IDs and passwords.
An EOS paper on the vulnerability says the Extended HTML Form Attack appears to work on recent releases of browsers from Microsoft and Opera.
The exploit gets its name from the HTML Form Protocol Attack described last summer by computer programmer Jochen Topf, who discovered that malicious hackers could wield seemingly ordinary- looking Web pages to send commands to servers behind such barriers as corporate firewalls.
Topf found that some popular Web browsers didn't complain when data submitted through otherwise ordinary Web forms was directed at TCP (transport control protocol) ports associated with such services as e-mail - simple mail transfer protocol (SMTP) and POP3 - Internet relay chat (IRC), the file transfer protocol (FTP) and newsgroups (NNTP).
News source: TechNews - New Twist On Web-Forms Hack Scarfs Browser Cookies
In the exploit described by Topf, a hacker could have commands hidden in a bogus Web page on the public Internet submitted to, say, an e-mail server within the Web surfer's own corporate network - even if that server was behind a firewall.
The vulnerability described by EOS takes a similar approach to misdirecting form submissions, but directs the data at a non-Web server within a domain space for which an unsuspecting surfer may have browser cookies.
Web browsers are supposed to give up their browser cookies only to the same Web servers that handed them out.
Web developers such as those at Ebay can specify that the cookies be revealed to any Web server whose Internet address ends in "ebay.com." That allows Ebay users to remain logged in when they move from "www.ebay.com" to "pages.ebay.com."
But it also means that the browsers of Ebay customers will give up their cookies when directed to a POP-mail server at "thompson.ebay.com."
Using Topf's HTML Form Protocol Attack to direct a bogus form submission at the TCP port reserved for POP mail - port 110 - Obscure was able to get the server to echo back the submitted data in what was that server's error messages.
By carefully crafting the data being submitted to the target server, some of the text returned in the error messages can be interpreted as valid commands by the Web browser.
Obscure said that allows a hacker to imbed JavaScript commands in his rogue form that will automatically capture and forward the stolen cookie information.
Some browsers, such as Netscape, won't allow form data to be directed at TCP ports not associated with Web protocols.
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.