A new bug has been discovered that can cause both Netscape Communicator and Microsoft’s Internet Explorer to display information from cookies that contain passwords and other personal information.
Cookies are normally only visible to the site that placed them on a visitor’s hard drive and are often used to automatically log in the user. However, the operator of Consumer.net, an online site offering various consumer protection information, discovered a bug earlier this week that can give others access to the data.
Russ Smith, owner of Consumer.net, has posted detailed information on the bug. He also shows the files that were unwittingly downloaded from his site’s visitors.
Both Netscape and Microsoft said they were looking into the matter and would work with Smith to try and duplicate the problem. Smith said the bug doesn’t appear to be affecting the vast majority of those who use either browser. However, no one has determined why only certain systems have been affected.
Privacy advocates have often expressed fears that personal information stored in cookie files can be exposed to others. Although cookies tend to work perfectly most of the time, bugs like the one Smith discovered, illustrate how the technology can be abused.
The Web site OnlinePrivacy.com contains a cookie analyzer that allows users to test their system to see if it is vulnerable to the bug.