Internet Explorer Bug Leaks What Users Type in the URL Address Bar

itman · Sep 27, 2017

Based on my testing, keeping ActiveX disabled defeats his POC. Just like it does for his "zombie browser" POC in regards to coin miners.

Microsoft's Internet Explorer browser is affected by a serious bug that allows rogue sites to detect what the user is typing in his URL address bar.

This includes new URLs where the user might be navigating to, but also search terms that IE automatically handles via a Bing search. Users copy-pasting URLs for Intranet pages inside IE would likely see this bug as a big issue.

The bug, spotted by security researcher Manuel Caballero, poses a privacy risk, as it could be used in reconnaissance operations in targeted attacks, but also for data harvesting by online advertisers.

Bug occurs because IE gets confused

According to Caballero, when JavaScript code runs in the malicious object HTML tag, "the location object will get confused and return the main location instead of its own."

In layman's terms, this means the malicious object HTML tag — which can be loaded and hidden inside a page — will have access to resources and information previously available to the main browser window.

In a technical write-up of the bug, Caballero says the malicious object can then "retrieve the location.href of the object while the user is leaving the main page," allowing an attacker to "know what [the user] typed into the address-bar."

Caballero has set up a demo page here [works only in Internet Explorer]. A demo video of the attack is also embedded below.
Click to expand...

https://www.bleepingcomputer.com/ne...leaks-what-users-type-in-the-url-address-bar/

Circuit · Sep 27, 2017

Do people really use IE anymore?

Tarnak · Sep 27, 2017

I have Edge and IE on my Surface Book. But, I don't use Edge that much, and IE, not at all.

Rasheed187 · Sep 30, 2017

Circuit said: ↑

Do people really use IE anymore?
Click to expand...

Yes, if you're still using IE, there must be something wrong. IE is crap that should be avoided at all costs.

Log in or Sign up

Internet Explorer Bug Leaks What Users Type in the URL Address Bar

itman Registered Member

Circuit Registered Member

Tarnak Registered Member

Rasheed187 Registered Member

Log in or Sign up

Internet Explorer Bug Leaks What Users Type in the URL Address Bar

itman Registered Member

Circuit Registered Member

Tarnak Registered Member

Rasheed187 Registered Member

Useful Searches