Youth against Internet censorship
"It's not a crime to be smarter than your parents."
Internet Explorer "Open Cookie Jar"
Cookies stored by IE for Windows can be read by any Web site

Bennett Haselton,
Jamie McCarthy,

News sightings: Wall Street Journal | NYTimes (Note) | CNNfn | Slashdot | CNet | Internet News Radio | Newsbytes
MSNBC | ComputerWorld | National Post |

See also:
JavaScript-in-cookies security hole (4/19/00) C-Net | ZDNet | NTSecurity | MSNBC
Eudora "stealth attachment" demo page (4/27/00) C-Net | ZDNet | Newsbytes | The Register
Internet Explorer "local JavaScript" security hole (5/5/00) C-Net | NewsBytes
"Fake mail form" security hole for Web-based email sites (5/9/00) C-Net |
HotMail Attachment security hole (5/10/00) Wired | ZDNet | Slashdot | MSNBC |

Any Web site that uses cookies to authenticate users or store private information -- including, HotMail, Yahoo Mail, DoubleClick,,, and thousands of others -- could have cookies exposed by Internet Explorer and intercepted by a third-party Web site.

Update 5/18/2000: Microsoft has released a patch that will fix this vulnerability in Internet Explorer:

If you have Internet Explorer for Windows, type a domain (e.g. "" or "") in the space below, and click to view a page on that will display your cookie for that domain:
(You must click the button to submit the domain name -- hitting Enter will not work)

Or you can go to a demonstration at the following URL, to see a list of information that is exposed by cookies set from,, and other popular sites: (hosted by

Pascal Gaudette reported that the same scheme will work for HTTPS cookies as long as the server referenced by the "malformed URL" is HTTPS-enabled. You can use this form to read HTTPS cookies (enter a domain name and press the button):
(You must click the button to submit the domain name -- hitting Enter will not work)

How it works
Using a specially constructed URL, a Web site can read Internet Explorer cookies set from any domain. For example, to read a user's cookie, a site could direct the user's browser to:
If you replace the "%2f"'s with "/" characters, and the "%3F" with "?", this URL is actually:
But IE gets confused and thinks the page is located in the domain, so it allows the page to read the user's cookie.

Internet Explorer (all known versions) for Windows 95, 98, NT, and 2000. IE for the Macintosh does not appear to be affected. Users have reported that IE versions for Solaris and HP/UX are vulnerable, but IE's browser share on UNIX platforms is much lower. No version of Netscape Navigator or any browser other than Internet Explorer appears to be vulnerable.

As of 5/18/2000, Microsoft has released a patch that fixes this problem:
If you do not want to download the patch, the safest workaround is to disable cookies. You can do this by going to
Tools->Internet Options->Security
and click the button to customize security settings, and set cookies to "disable". (Note that this will cause some sites such as HotMail to break.) Also, if you have Netscape's browser installed, it is not affected by the bug.


Jamie McCarthy came up with a list of cookies set by various sites that could be used to retrieve sensitive information: