Internet Explorer bug leaks what you type to sites
If you are using Microsoft's Internet Explorer currently, all what you type in the browser's address bar may be leaked to sites.
The issue was disclosed by security researcher Manuel Caballero on Tuesday on the Broken Browser website.
When a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own. To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker.
Basically, what it means is that sites may run a simple script to find out what users type in the Internet Explorer address bar while the user is on the site.
You can check out this proof of concept page to find out if your version of Internet Explorer, or in fact any other browser, is affected by the issue.
Simply type anything that comes to your mind in Internet Explorer's address bar while you are on the page, and hit the Enter-key afterwards. The web page will intercept the load process, e.g. the loading of Bing search if you did not type an address, and display the query to you on the page that it loads.
This confirms that anything you type may be leaked to the site if it implements such a script. Details on how the researcher stumbled upon the bug are posted on the disclosure post.
Internet Explorer's handling of location objects when injected "onbeforeunload" is flawed, as it returns the location the browser is going to or what is currently written into the address bar.
In other words, if we retrieve the location.href of the object while the user is leaving the main page, we will be able to know what was typed into the address-bar, or, if the user clicked on a link we will know the address of the link that the browser is going to.
That’s it! Now we will retrieve the object location when the user is leaving and know exactly what she typed into the address bar. It does not have to be a full URL, for example, if the user types words into the address bar, it will automatically be converted to a search query URL (Bing by default on IE) which can of course be completely read!
Here is a demo video that showcases the vulnerability in Internet Explorer:
I tested this in the most recent version of Internet Explorer on Windows 10, and it is affected by the issue.
There is no workaround right now to protect what you type from being leaked in Internet Explorer. The two options that you have are to either be very careful when it comes to entering anything in the browser's address bar, or to use a different browser until Microsoft fixes the issue.
Must be a prime feature of IE. :P
using IE 11 on Win 8.1. I typed an address in my task bar address applet and my typed site was not revealed.(duickduck.com)
In browser development, there seems to be an obsession today with unifying the search and address bars, and also fetching matches in real-time. The outcome of this is that the search engine (Google, Bing, Yahoo) knows any and everything that you enter into the unified bar, before you even press the enter key!
You might not want the search engine collecting the addresses you visit, and if you are a typical user who signs into Google, Yahoo, or Bing and never clears cookies, the search engine can then associate everything that you punched into the address bar with an actual identity too! It is way creepy and also beyond the grasp or understanding of most people.
Disable javascript …unless it’s really needed. Javascript is always a prime vulnerability.
Avoid Internet Explorer ….unless really needed. IE is always a prime vulnerability in itself.
Use multiple browsers, configured to the internet task needed at the moment. More secure browsers (like Pale Moon) should be the default for routine use.
Use extensions like NoScript to limit javascript … when your tasks require javascript enabled.
Still fairly common to encounter websites that only render properly with IE — very annoying.
This article is inaccurate as the vulnerability can be worked around by disabling JavaScript in IE:
Internet Options > Security > Internet (Security Zone) > Custom level… > Scripting > Active scripting > Disable
In the latest Firefox Nightly with JavaScript enabled, if you use the back button after, for example, performing a search query in the address bar, it will show the proof of concept’s hijacking page like it does on IE with JavaScript enabled.
I posted the wrong link by mistake, here’s the correct one: https://www.cracking.com.ar/demos/ieaddressbarguess/loc.html
Additionally, it doesn’t work if IE11 forces the HTML5 spec’s standards mode or the legacy IE9 and IE10 document modes through the F12 Developer Tools. The page is set to load in the legacy IE8 document mode, which is vulnerable like the legacy IE7 document mode and legacy IE5 quirks mode (like all other browsers, IE10+ and Edge use the HTML5 spec’s quirks mode by default when the page does not explicitly declare the DOCTYPE).
Chrome shows the hijacking page for a split second before it lands the user where it was told to. Like on IE in standards mode and Firefox, no user input is captured, even with JavaScript enabled.
Still I won’t use Edge. Chrome if not IE. Edge is really, really crap.
It really, really isnt. At least it hasn’t been since the last Creators Update and it should only get better when the next Windows update comes along. Don’t get me wrong, Edge has plenty of issues that have been discussed to death here and elsewhere, but it simply is not “crap”. IE is “crap”, Edge is simply a good, but flawed browser.
Martin,
In your summary you state that one workaround is to use another webbrowser, but my question would be: is that certain?
It would require on your part to test all other browsers in use against this same effect to be able to conclude that. Did you test all other browsers?
No, but some. It appears to be IE only. Obviously, you need to run the test on that browser as well. But, Chrome, Edge, Firefox, Opera or Vivaldi are not affected by this.
Hy, StartPage sends search queries using HTTP POST requests by default whereas Bing sends them using HTTP GET requests.
Only Internet Explorer 8 and earlier versions are vulnerable to this bug. The reason why versions 9 to 11 are affected is because they have modes to render pages as if they were older versions (these modes were all deprecated in IE11 and fully removed in Edge). If the site author decides to do the right thing by not using IE-specific compatibility checks on their pages, then IE will simply detect standards mode or quirks mode as defined by the HTML5 spec, which is what any other browser does, and, as such, users won’t be impacted by this security flaw.
Internet Explorer 11 is the last version of IE and versions 10 and prior are no longer supported by Microsoft as per their current lifecycle policy, especially since both Windows XP and Vista have reached their end-of-life as well.
A brand new clean installation of Vivaldi on my machine is at least somewhat affected by this vulnerability.
Vivaldi suddenly stopped opening for me a few weeks ago and yesterday I searched in vain to try to find a solution. I finally gave up and completely removed Vivaldi and downloaded and did a clean install of the latest 64-bit version of it. Haven’t had time to yet to add a single extension to it. When I saw this article today, I ran the above test on the latest versions of five browsers: Cyberfox, Firefox ESR, Vivaldi, Seamonkey, and Brave. On my machine all browsers passed the test except for Vivaldi. Using Vivaldi the test site above intercepts me every time after I type a search request in the address bar, and a page from the test site flashes up for a second, then Vivaldi proceeds as it should to my default search engine’s (Startpage) results page.
Interestingly, the page intercept doesn’t show, as in the Bing “ghacks rules†example above, the correct page I’m going to and what I searched for, but the test site above does intercept me on Vivaldi every time I run the test… (Maybe the discrepancy is due to Startpage hiding the search request terms in the URL, and Bing not doing so?)
Okay.
Thanks for the quick reply.