"I think they're wrong," he said. "Like many esoteric attack techniques, until they've seen it used in the wild, they'll downplay it. It's actually a very simple attack, but it's not technically difficult, so their take is 'Nothing new to see here.'"
Valotta's proof-of-concept attack was relatively simple: He built a Facebook game that baited users with a simple puzzle of an attractive woman, and with it was able to collect dozens of cookies from unsuspecting Facebook users.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," Valotta told the Reuters news service this week.
The puzzle required users to drag and drop pieces on the Web page; unbeknownst to the victims, when they did so they actually dragged cookies to a specific spot on the screen where a clickjacking attack captured the data before sending it Valotta.
Valotta said that all versions of IE, including the just-released IE9, on all supported editions of Windows, including XP, Vista and Windows 7, were vulnerable to cookiejacking attacks.
Bryant added that the IE vulnerability was not serious enough to trigger an emergency, or "out-of-band" security update. "We are also not aware of it being used in any active way outside of the demo at [the Amsterdam] Hack in the Box [conference], he said.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed. His e-mail address is gkeizer@computerworld.com.
Read more about security in Computerworld's Security Topic Center.