New Twist On Web-Forms Hack Scarfs Browser Cookies
Source: NewsBytes
An independent network security researcher has uncovered a new way to steal the secret browser "cookies" of Web surfers with the help of Internet servers that were never intended to communicate with browser software. The exploit, described by a researcher who uses the handle "Obscure" and posted on the Eye On Security Web (EOS) site, relies on common Internet server software other than Web servers that can "echo" hijacked submissions from HTML forms.
In a demonstration of the exploit, which Obscure calls the Extended HTML Form Attack, a POP3 (post office protocol) e-mail server at Ebay was used to divulge the browser cookies of users who had visited the auction giant's Web site.
As delivered by some Web sites, browser cookies may contain such private information as user IDs and passwords.