News > Technology
Microsoft browser flawed?
May 15, 2000: 7:34 a.m. ET

Security hole in Internet Explorer opens back door to hackers, says news report
By Staff Writer Michele Masterson
graphic graphic
NEW YORK (CNNfn) - Microsoft's Internet Explorer browser contains a security glitch allowing hackers to view Web users' page visits through the use of so-called "cookies" technology, according to a news report on Monday.

graphic CNNfn's Steve Young explains what cookies are and how vulnerable computers are because of this.
Real 28K 80K
Windows Media 28K 80K
Bennett Haselton, an anti-Internet activist of, discovered the flaw late last week, after exposing security problems with Microsoft's e-mail product, HotMail. Haselton said that hackers can use a special Internet address, or URL, which then allows a Web site to read Internet Explorer cookies from anywhere -- opening up the possibility that the hacker can use the information to make illegal purchases.

Microsoft acknowledged the browser problem, according to an article in Monday's Wall Street Journal. Public relations officials for the software maker said they were in the process of issuing a statement about the security problem, but would not directly confirm the story.

graphicCookies refers to data that are created by a Web server and stored on a user's computer, allowing Web sites to track user buying patterns and preferences. Many e-commerce companies and Internet advertisers use cookies to track where customers make purchases, such as through "shopping cart" features or through ad views.

Haselton said the Netscape Navigator browsers are unaffected by this security flaw.

As an example, Haselton said that when an Internet Explorer user visits and uses their Click-1 ordering technology, that cookie is recorded.

"By sending that information to a special Web site, I can get your Amazon cookie and actually order stuff using your credit card number," said Haselton.

"It turns out that the orders I place have to get shipped to your address - the cookie doesn't allow you to change shipping information - but it means I could flood your mailbox with say, 100 Beanie babies that would've looked like you ordered them from Amazon and that would be charged to your credit card," Haselton said.

Amazon (AMZN: Research, Estimates) officials were not immediately available for comment.

Haselton said fellow member, Jamie McCarthy, has come up with a demonstration that uses the browser flaw to show a user which sites they visited and at what times. "Of course that information could simultaneously be mailed to the Web master of that page - for third parties to be able to intercept cookies has pretty big implications."

Internet Explorer users can protect themselves by turning off the Java script function from the browser. Haselton said that just turning off the cookies feature is not sufficient - it will possibly prevent new cookies from being seen but old cookies can still be viewed. Directions for turning off Java script can be found in a special section at the site.

Microsoft browsers that contain the security hole include all versions of Internet Explorer for Windows 95, 98, NT and 2000, according to Haselton. Internet Explorer for Macintosh does not have the glitch.

Microsoft is reportedly working on a fix and will post instructions on its Web site in the tech section.

In afternoon trading, shares of Microsoft (MSFT: Research, Estimates) were down 1/16 at 68-3/4. Back to top


Keep Microsoft whole: poll - May 10, 2000

CNNfn special report: Microsoft on trial

MSFT outlook downbeat - April 20, 2000



Note: Pages will open in a new browser window
External sites are not endorsed by CNNmoney