If you are using Microsoft's Internet Explorer currently, all what you type in the browser's address bar may be leaked to sites.
The issue was disclosed by security researcher Manuel Caballero on Tuesday on the Broken Browser website.
When a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own. To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker.
Basically, what it means is that sites may run a simple script to find out what users type in the Internet Explorer address bar while the user is on the site.
You can check out this proof of concept page to find out if your version of Internet Explorer, or in fact any other browser, is affected by the issue.
Simply type anything that comes to your mind in Internet Explorer's address bar while you are on the page, and hit the Enter-key afterwards. The web page will intercept the load process, e.g. the loading of Bing search if you did not type an address, and display the query to you on the page that it loads.
This confirms that anything you type may be leaked to the site if it implements such a script. Details on how the researcher stumbled upon the bug are posted on the disclosure post.
Internet Explorer's handling of location objects when injected "onbeforeunload" is flawed, as it returns the location the browser is going to or what is currently written into the address bar.
In other words, if we retrieve the location.href of the object while the user is leaving the main page, we will be able to know what was typed into the address-bar, or, if the user clicked on a link we will know the address of the link that the browser is going to.
That’s it! Now we will retrieve the object location when the user is leaving and know exactly what she typed into the address bar. It does not have to be a full URL, for example, if the user types words into the address bar, it will automatically be converted to a search query URL (Bing by default on IE) which can of course be completely read!
Here is a demo video that showcases the vulnerability in Internet Explorer:
I tested this in the most recent version of Internet Explorer on Windows 10, and it is affected by the issue.
There is no workaround right now to protect what you type from being leaked in Internet Explorer. The two options that you have are to either be very careful when it comes to entering anything in the browser's address bar, or to use a different browser until Microsoft fixes the issue.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.