** resending; the distinction between http and https cookies is significant, and this about: bug underscores the importance of using at least one "secure" cookie for extra protection ** On Thu, Nov 08, 2001 at 03:32:54PM +0200, Jouko Pynnonen wrote: > Finally, the about URL may have a hostname placed after the colon, and IE > uses that hostname when determining the cookies to use: > > about://www.anydomain.fi/<script language=JavaScript>alert(document.cookie);</script> > > The above URL would result in IE displaying cookies of www.anydomain.fi > in the alert box, assuming that the site has been visited and it has set > a cookie which hasn't expired. Site admins: be sure to set the "secure" flag on cookies where possible! A colleague who has tested this (I don't have IE 5.5 or 6.0 handy) reports at least one nugget of good news: it seems that about: can only be used to leak non-secure cookies. At least for our site (which uses both secure and non-secure cookies), only those not flagged secure are visible. So sites that run under SSL and set the secure flag are OK. But those of us using cookies on plain old HTTP are in deep trouble. (And rumor has it that at least one prominent online investment e-trading site, despite using SSL, does *not* set the secure flags for their cookies, and therefore their customers using IE 5.5 or IE 6.0 are vulnerable to some degree of account information theft!) Unfortunately, a quick survey of some on-line storefronts by prominent tech companies (Red Hat, IBM, Microsoft) suggests that it's rather popular for commerce sites to only use non-secure cookies. This despite the discussion of the "cookie marking" bug in IIS 4 and IIS 5 that prompted patches.[0] Microsoft: this really, really stinks. -Peter [0] http://www.ciac.org/ciac/bulletins/l-010.shtml
