Dangerous IE vulnerability opens door to powerful phishing attacks

The flaw can be used to steal authentication cookies and inject rogue code into websites

An Internet Explorer vulnerability lets attackers bypass the Same-Origin Policy, a fundamental browser security mechanism, to launch highly credible phishing attacks or hijack users' accounts on any website.

The flaw, described as a universal cross-site scripting vulnerability, was disclosed Saturday on the Full Disclosure mailing list by David Leo, a researcher with a security consultancy firm called Deusen. Leo's post included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target.

When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the site's content is replaced with a page reading "Hacked by Deusen."

The rogue page is loaded from an external domain, but the browser's address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks.

Instead of dailymail.co.uk, an attacker could use a bank's website and then inject a rogue form asking the user for private financial information. Since the browser's address bar would continue to display the bank's legitimate domain name, there would be little indication to the user that something is amiss.

The attack also works if the targeted site uses HTTPS (HTTP with SSL encryption), according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo's original post.

Fowler found "quirks" testing the vulnerability, but concluded that the attack "most definitely works."

"It even bypasses standard HTTP-to-HTTPS restrictions," he wrote.

What's worse is that the Same-Origin Policy (SOP) is bypassed. This is a security mechanism that exists in all browsers to prevent code from one website that is loaded in an iframe in a different website to manipulate the content of that site, or vice versa.

For example, without this security boundary, site A could read the authentication cookies of a user logged into site B when that user visited site A. Authentication cookies are identifiers that websites set in browsers in order to remember authenticated users. If copied into another browser, these cookies can automatically grant access to the accounts they correspond to.

This IE flaw has the same effect as cross-site scripting (XSS) vulnerabilities, which typically allow attackers to steal cookies and display rogue content on vulnerable sites by injecting rogue content through their URLs. The Internet Explorer vulnerability renders all sites vulnerable to XSS, which is why Leo called it an universal XSS.

"Universal XSS is a browser flaw which would allow an attacker to execute script content in the context of any site regardless of a pre-existing flaw on the website," said Craig Young, a security researcher at Tripwire, who also analyzed the published exploit. "Successful exploitation of a universal XSS bug requires only that an attacker can entice a victim to load a malicious site. This could be in the form of malvertising, phishing, or even comment spam."

The malvertising vector is already widely used by attackers and involves tricking advertising networks into accepting malicious ads that then get displayed on legitimate websites. By combining malvertising with this IE flaw, attackers could steal authentication cookies en-masse from different websites.

Young couldn't confirm whether exploiting this vulnerability can happen without user interaction -- the proof-of-concept exploit requires victims to click on a link. However, even if user interaction is required, many social engineering techniques can be used to obtain it.

According to Young, the flaw might only affect IE 11 or a limited number of newer IE versions. For example, the researcher couldn't replicate the attack on IE 8 running on Windows 7.

The vulnerability might not be as critical as the Same-Origin bypass flaw discovered in the Android default browser a few months ago, but Microsoft should address it as soon as possible, Young said.

"We are not aware of this vulnerability being actively exploited and are working on a security update," a Microsoft representative said via email. "We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

The good news is that websites can protect themselves from being targeted through this vulnerability by using a security header called X-Frame-Options with the "deny" or "same-origin" values, which prevents other sites from loading them in iframes. This was noted by both Folwer and Daniel Cid, the CTO of Web security firm Sucuri.

Unfortunately, this is a recommended security header that very few sites make use of, Cid said via email.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftTripwiresecurityTumblrAccess control and authenticationDeusenExploits / vulnerabilitiesprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?