The problem, says Rosario Valotta, means that Internet Explorer is effectively subject to a zero-day vulnerability that allows hackers to hijack any cookie on any web site.
Valotta has been detailing his findings at IT security conferences and, according to the Reuters newswire, the cookie-jacking problem, as he calls it, is a potentially major issue.
"Any website. Any cookie. Limit is just your imagination," he told the newswire in an email interview.
Valotta reportedly claims that hackers can exploit the IE flaw by persuading users to drag and drop an object across the PC's screen before the cookie can be hijacked.
"That sounds like a difficult task, but Valotta said he was able to do it fairly easily. He built a puzzle that he put up on Facebook in which users are challenged to `undress' a photo of an attractive woman", he said.
"I published this game online on Facebook and in less than three days, more than 80 cookies were sent to my server," he told Reuters. "And I've only got 150 friends."
Microsoft has responded to Valotta's claims saying there "is little risk a hacker could succeed in a real-world cookie-jacking scam."
"Given the level of required user interaction, this issue is not one we consider high risk," a Microsoft spokesman told the Reuters newswire.
"In order to possibly be impacted a user must visit a malicious website, be convinced to click and drag items around the page and the attacker would need to target a cookie from the website that the user was already logged into", he added.