Microsoft’s Internet Explorer browser is affected by a serious bug that allows rogue sites to detect what the user is typing in his URL address bar.
This includes new URLs where the user might be navigating to, but also search terms that IE automatically handles via a Bing search. Users copy-pasting URLs for Intranet pages inside IE would likely see this bug as a big issue.
The bug, spotted by security researcher Manuel Caballero, poses a privacy risk, as it could be used in reconnaissance operations in targeted attacks, but also for data harvesting by online advertisers.
Bug is easy to exploit
The bug occurs when IE loads a page with (1) a malicious HTML object tag and (2) features the compatibility meta tag in its source code. Both conditions are quite easy to meet.
Condition two: X-UA-Compatible is a document mode meta tag that allows web authors to choose what version of Internet Explorer the page should be rendered as. Almost all sites on the Internet have a compatibility meta tag.
Bug occurs because IE gets confused
In layman’s terms, this means the malicious object HTML tag — which can be loaded and hidden inside a page — will have access to resources and information previously available to the main browser window.
In a technical write-up of the bug, Caballero says the malicious object can then “retrieve the location.href of the object while the user is leaving the main page,” allowing an attacker to “know what [the user] typed into the address-bar.”
Caballero has set up a demo page here [works only in Internet Explorer]. A demo video of the attack is also embedded below.
Caballero has not reported the bug to Microsoft. Bleeping Computer has reached out to Microsoft for comment.
In addition, Caballero has also discovered lots of security bugs in Microsoft’s newest browser, Edge [1, 2, 3, 4], some of which Microsoft addressed, but others didn’t.