Hi,

Look what I've made:
http://www.justsexxx.com/cook.html

click then on the link. The windows will show the cookie stored on your computer from google. I used the domain google, becasuse I presume that you've all been there once. Did it also with a passwork protected site, and I received the username and password, they we're protected, but you can encrypt that....

Let me know if your computer has the same problem.....(must have visited for this example google at least once since your last internetfiles cleanup)

Andre

Your cookie reader does not work :D

Doesn't work in Netscape or IE 5.
I'm guessing its reading your own cookies because its from your own computer.

WG

//www.google.com

It only works for IE 5.5 SP2 I believe and IE 6.0

Andre

Originally posted by justsexxx:
<STRONG>It only works for IE 5.5 SP2 I believe and IE 6.0

Andre</STRONG>

I use IE 6.+ does not work ;)

yup i doesnt work in IE 6.0.2600

Trusty Opera says "illegal address" :)

From Microsoft

Web sites use cookies as a way to store information on a user's
local system. Most often, this information is used for customizing
and retaining a site's setting for a user across multiple sessions.
By design each site should maintain its own cookies on a user's
machine and be able to access only those cookies.

A vulnerability exists because it is possible to craft a URL that
can allow sites to gain unauthorized access to user's cookies and
potentially modify the values contained in them. Because some web
sites store sensitive information in a user's cookies, it is also
possible that personal information could be exposed.

Risk Rating:
============
- Internet systems: High
- Intranet systems: High
- Client systems: High

Here's the whole letter from Microsoft in case anyone hasn't seen it.

The following is a Security Bulletin from the Microsoft Product Security
Notification Service.

Please do not reply to this message, as it was sent from an unattended
mailbox.
********************************

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title: Cookie Data in IE Can Be Exposed or Altered
Through Script Injection
Date: 08 November 2001
Software: Internet Explorer
Impact: Exposure and altering of data in cookies
Max Risk: High
Bulletin: MS01-055

Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-055.asp.
- ----------------------------------------------------------------------

Issue:
======
Web sites use cookies as a way to store information on a user's
local system. Most often, this information is used for customizing
and retaining a site's setting for a user across multiple sessions.
By design each site should maintain its own cookies on a user's
machine and be able to access only those cookies.

A vulnerability exists because it is possible to craft a URL that
can allow sites to gain unauthorized access to user's cookies and
potentially modify the values contained in them. Because some web
sites store sensitive information in a user's cookies, it is also
possible that personal information could be exposed.

Microsoft is preparing a patch for this issue, but in the meantime
customers can protect their systems by disabling active
scripting. (The FAQ provides step-by-step instructions for doing
this). This will protect against both the web-hosted and the
mail-borne variants discussed above. When the patch is complete,
Microsoft will re-release this bulletin and provide details on
obtaining and using it.

Mitigating Factors:
====================
- A user must first be enticed to a malicious web site or to
open an HTML e-mail containing the malformed URL.

- Users who have applied the Outlook Email Security Update
are not affected by the HTML mail exploit of this
vulnerability.

- Users who have set Outlook Express to use the "Restricted
Sites" Zone are not affected by the HTML mail exploit of this
vulnerability because the "Restricted Sites" zone sets Active
Scripting to disabled. Note that this is the default setting
for Outlook Express 6.0. Users of Outlook Express 6.0 should
verify that Active Scripting is still disabled in the Restricted
Sites Zone.

Risk Rating:
============
- Internet systems: High
- Intranet systems: High
- Client systems: High

Patch Availability:
===================
- A patch is currently under development. A work-around is
available to mitigate this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms01-055.asp
for information on obtaining this patch.