Dangerous IE vulnerability opens door to powerful phishing attacks

The flaw can be used to steal authentication cookies and inject rogue code into websites

An Internet Explorer vulnerability lets attackers bypass the Same-Origin Policy, a fundamental browser security mechanism, to launch highly credible phishing attacks or hijack users' accounts on any website.

The flaw, described as a universal cross-site scripting vulnerability, was disclosed Saturday on the Full Disclosure mailing list by David Leo, a researcher with a security consultancy firm called Deusen. Leo's post included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target.

When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the site's content is replaced with a page reading "Hacked by Deusen."

The rogue page is loaded from an external domain, but the browser's address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks.

Instead of dailymail.co.uk, an attacker could use a bank's website and then inject a rogue form asking the user for private financial information. Since the browser's address bar would continue to display the bank's legitimate domain name, there would be little indication to the user that something is amiss.

The attack also works if the targeted site uses HTTPS (HTTP with SSL encryption), according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo's original post.

Fowler found "quirks" testing the vulnerability, but concluded that the attack "most definitely works."

"It even bypasses standard HTTP-to-HTTPS restrictions," he wrote.

What's worse is that the Same-Origin Policy (SOP) is bypassed. This is a security mechanism that exists in all browsers to prevent code from one website that is loaded in an iframe in a different website to manipulate the content of that site, or vice versa.

For example, without this security boundary, site A could read the authentication cookies of a user logged into site B when that user visited site A. Authentication cookies are identifiers that websites set in browsers in order to remember authenticated users. If copied into another browser, these cookies can automatically grant access to the accounts they correspond to.

This IE flaw has the same effect as cross-site scripting (XSS) vulnerabilities, which typically allow attackers to steal cookies and display rogue content on vulnerable sites by injecting rogue content through their URLs. The Internet Explorer vulnerability renders all sites vulnerable to XSS, which is why Leo called it an universal XSS.

"Universal XSS is a browser flaw which would allow an attacker to execute script content in the context of any site regardless of a pre-existing flaw on the website," said Craig Young, a security researcher at Tripwire, who also analyzed the published exploit. "Successful exploitation of a universal XSS bug requires only that an attacker can entice a victim to load a malicious site. This could be in the form of malvertising, phishing, or even comment spam."

The malvertising vector is already widely used by attackers and involves tricking advertising networks into accepting malicious ads that then get displayed on legitimate websites. By combining malvertising with this IE flaw, attackers could steal authentication cookies en-masse from different websites.

Young couldn't confirm whether exploiting this vulnerability can happen without user interaction -- the proof-of-concept exploit requires victims to click on a link. However, even if user interaction is required, many social engineering techniques can be used to obtain it.

According to Young, the flaw might only affect IE 11 or a limited number of newer IE versions. For example, the researcher couldn't replicate the attack on IE 8 running on Windows 7.

The vulnerability might not be as critical as the Same-Origin bypass flaw discovered in the Android default browser a few months ago, but Microsoft should address it as soon as possible, Young said.

"We are not aware of this vulnerability being actively exploited and are working on a security update," a Microsoft representative said via email. "We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

The good news is that websites can protect themselves from being targeted through this vulnerability by using a security header called X-Frame-Options with the "deny" or "same-origin" values, which prevents other sites from loading them in iframes. This was noted by both Folwer and Daniel Cid, the CTO of Web security firm Sucuri.

Unfortunately, this is a recommended security header that very few sites make use of, Cid said via email.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags online safetyMicrosoftTripwiresecurityTumblrAccess control and authenticationDeusenExploits / vulnerabilitiesprivacy

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


GGG Evaluation Team

Kathy Cassidy


First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni


For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell


The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi


The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott


My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?