Internet Explorer Bug Leaks What Users Type in the URL Address Bar

Share this…

Microsoft’s Internet Explorer browser is affected by a serious bug that allows rogue sites to detect what the user is typing in his URL address bar.

This includes new URLs where the user might be navigating to, but also search terms that IE automatically handles via a Bing search. Users copy-pasting URLs for Intranet pages inside IE would likely see this bug as a big issue.

The bug, spotted by security researcher Manuel Caballero, poses a privacy risk, as it could be used in reconnaissance operations in targeted attacks, but also for data harvesting by online advertisers.

Bug is easy to exploit

The bug occurs when IE loads a page with (1) a malicious HTML object tag and (2) features the compatibility meta tag in its source code. Both conditions are quite easy to meet.

Condition one: Attackers can hide malicious HTML object tags in hacked sites or load it via ads that allow advertisers to load custom HTML and/or JavaScript code.

Condition two: X-UA-Compatible is a document mode meta tag that allows web authors to choose what version of Internet Explorer the page should be rendered as. Almost all sites on the Internet have a compatibility meta tag.

Bug occurs because IE gets confused

According to Caballero, when JavaScript code runs in the malicious object HTML tag, “the location object will get confused and return the main location instead of its own.”

In layman’s terms, this means the malicious object HTML tag — which can be loaded and hidden inside a page — will have access to resources and information previously available to the main browser window.

In a technical write-up of the bug, Caballero says the malicious object can then “retrieve the location.href of the object while the user is leaving the main page,” allowing an attacker to “know what [the user] typed into the address-bar.”

Caballero has set up a demo page here [works only in Internet Explorer]. A demo video of the attack is also embedded below.

Caballero has not reported the bug to Microsoft. Bleeping Computer has reached out to Microsoft for comment.

Previously, Caballero also discovered a bug in Internet Explorer that allows malicious JavaScript code to persist and keep running in the browser’s background even if the user has closed the malicious page’s tab. This bug is could be abused by malvertising campaigns to deliver cryptocurrency miners that utilize a user’s computational resources to mine Monero long after the user has visited a malicious site, causing the user’s computer to slow down and a premature wear of the user’s processor.

In addition, Caballero has also discovered lots of security bugs in Microsoft’s newest browser, Edge [1, 2, 3, 4], some of which Microsoft addressed, but others didn’t.