Sometimes, the best way to foil a hacker is to think like one, which is exactly what Rosario Valotta, an Internet security researcher, did. He devised a way to steal digital credentials from Facebook users by exploiting a flaw in Internet Explorer, Microsoft’s default web browser.

He presented the process at the Hack in the Box Security Conference which was held in Amsterdamlast week. Basically, what he does is steal session cookies stored in Internet Explorer the moment the user enters a valid username and password. The concept is called ‘cookiejacking’, and it can be applied to all websites, not just Facebook. As such, the hack can be used anywhere, although Facebook and Twitter are the most obvious targets. Once the hacker has acquired that cookie, then he or she can use it to access the same website.

Of course, the hack isn’t really that easy. First, the hacker must somehow make the user drag and drop an object across the computer’s screen. It would be quite a bit suspicious if somebody randomly asks you to do that, so Valotta devised a way to make people do this without arousing suspicion. He created a puzzle challenging users to ‘undress’ a photo of a beautiful woman and posted it on his Facebook account. He got 80 cookies within just three days — and he only had 150 friends.

The hack works by exploiting a flaw in the IE security zones feature, a feature which can be used to tell users which sites are malicious and which are trustworthy. The hacker embeds a special iframe tag in the malicious website and the browser exposes the cookies on the victim’s computer once the user does that drag and drop thing.

Microsoft has labeled this hack to be very low risk due to the fact that users are required to drag and drop objects within the malicious website. The user interaction required for it to work is simply too high, so Microsoft says that there is little chance that this hack can work in a real world situation. However, considering the Facebook factor and the affinity that Facebook users have for puzzle games, we feel this vulnerability is being understated. Just the fact that the hacker was able to obtain cookies for over half of his friend list proves the legitimacy of the threat. It only takes a little bit of resourcefulness to turn this technique into something more dangerous.