There is a website from which I order stuff. I've made it a trusted site in both http & https forms. It has a cookie which I retain for convenience when other cookes get deleted.

When visiting the website from just it's normal address, I end up straight into "My Account" without need for either email address or password.

Fine, all jolly convenient. From most of what I've read only the website that gave me the cookie can read it.

My question is this:-

Time has marched on in terms of hackers. Is it now possible for a clever hacker/criminal to somehow read and use this cookie in order to place orders, or at least deduce the password? He could probably alter the delivery address quite legitimately.

Derek.W

Not knowing the website you are referring to, it's hard to say.

Technically? Yes, it's possible.

I recommend getting AdAware, it does a good job of sorting out the malicious (tracking) cookies from the good ones.

If you are really concerned with whats on your PC that might be tattling on you, get SpyBot Search & Destroy also.

_________________________
The internet is no longer a toy, it's a COMBAT ZONE!

Zone Alarm Pro is great too, every site you visit and every sub-domain linked for ads or third party cookies are visable and controlable. You should spend the $45 or so for the benifits the Pro version offers.

Thx. I do have:

Ad-Aware
SpyBot
SpywareBlaster
awfree (Trojan finder)
CWShredder 1.59.1 (the very last one)
AVG AntiVirus
Kerio firewall

The website "itself" is safe enough:
LAKELAND

The "Technically? Yes it's possible" (#1) makes me think it best to dump the cookie. It's not that bad to type in my email and password.

Derek.W

I like cookies myself. They are best when they come out of the oven all nice an warm :)

If you are using IE you can disable 3rd party cookies which are the ones that track you on the internet but Spybot and Ad-Aware will pick the bad ones up. I do not mind cookies, they are not bad things and some are very tasty :)

KTTD

Though I walk through the valley of Microsoft, I shall fear no OS for skills are with me

to answer the question, older versions of IE could allow third parties to read cookies.
That was fixed here:
http://www.microsoft.com/technet/security/bulletin/MS00-033.mspx

I have not heard of that happening with newer releases of IE.

KTTD
Yeah, hot cookies are best LOL.

Should have said I'm still on IE55 SP2 (will be going to IE6 SP1 soon, as a precursor to broadband). Couldn't find that "disable 3rd party cookies" tweak in my Internet Options. Maybe I should try harder, or perhaps it only applies to IE6.

blackdogx
Thanks, great, looks like I missed that one. Even "my" browser isn't "that" old, so you've put my mind at ease and answered the question.

I have several websites set that way but usually the email address shows as user name, but not the password. Lakeland is the first one that by-passed the password, hence it was obviously burried in the cookie (though not directly readable as text).

Derek.W

This you would be interested in watching.

Thx Pr3d, I'm right with you. Still foxed about "disable 3rd party cookies" tho. Maybe those entries translate to that somehow.

Derek.W

Still foxed about "disable 3rd party cookies" tho

Enjoy watching THIS. (Blocking Third Party Cookies in IE6)

i_XpUser

XpUser

Thx, you've cleared that up (IE6 feature).

As I said, rather late, in #6, I've yet to move to IE6 - another good reason for doing so then ....

Derek.W