Menu
Dangerous IE vulnerability opens door to powerful phishing attacks

Dangerous IE vulnerability opens door to powerful phishing attacks

The flaw can be used to steal authentication cookies and inject rogue code into websites

An Internet Explorer vulnerability lets attackers bypass the Same-Origin Policy, a fundamental browser security mechanism, to launch highly credible phishing attacks or hijack users' accounts on any website.

The flaw, described as a universal cross-site scripting vulnerability, was disclosed Saturday on the Full Disclosure mailing list by David Leo, a researcher with a security consultancy firm called Deusen. Leo's post included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target.

When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the site's content is replaced with a page reading "Hacked by Deusen."

The rogue page is loaded from an external domain, but the browser's address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks.

Instead of dailymail.co.uk, an attacker could use a bank's website and then inject a rogue form asking the user for private financial information. Since the browser's address bar would continue to display the bank's legitimate domain name, there would be little indication to the user that something is amiss.

The attack also works if the targeted site uses HTTPS (HTTP with SSL encryption), according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo's original post.

Fowler found "quirks" testing the vulnerability, but concluded that the attack "most definitely works."

"It even bypasses standard HTTP-to-HTTPS restrictions," he wrote.

What's worse is that the Same-Origin Policy (SOP) is bypassed. This is a security mechanism that exists in all browsers to prevent code from one website that is loaded in an iframe in a different website to manipulate the content of that site, or vice versa.

For example, without this security boundary, site A could read the authentication cookies of a user logged into site B when that user visited site A. Authentication cookies are identifiers that websites set in browsers in order to remember authenticated users. If copied into another browser, these cookies can automatically grant access to the accounts they correspond to.

This IE flaw has the same effect as cross-site scripting (XSS) vulnerabilities, which typically allow attackers to steal cookies and display rogue content on vulnerable sites by injecting rogue content through their URLs. The Internet Explorer vulnerability renders all sites vulnerable to XSS, which is why Leo called it an universal XSS.

"Universal XSS is a browser flaw which would allow an attacker to execute script content in the context of any site regardless of a pre-existing flaw on the website," said Craig Young, a security researcher at Tripwire, who also analyzed the published exploit. "Successful exploitation of a universal XSS bug requires only that an attacker can entice a victim to load a malicious site. This could be in the form of malvertising, phishing, or even comment spam."

The malvertising vector is already widely used by attackers and involves tricking advertising networks into accepting malicious ads that then get displayed on legitimate websites. By combining malvertising with this IE flaw, attackers could steal authentication cookies en-masse from different websites.

Young couldn't confirm whether exploiting this vulnerability can happen without user interaction -- the proof-of-concept exploit requires victims to click on a link. However, even if user interaction is required, many social engineering techniques can be used to obtain it.

According to Young, the flaw might only affect IE 11 or a limited number of newer IE versions. For example, the researcher couldn't replicate the attack on IE 8 running on Windows 7.

The vulnerability might not be as critical as the Same-Origin bypass flaw discovered in the Android default browser a few months ago, but Microsoft should address it as soon as possible, Young said.

"We are not aware of this vulnerability being actively exploited and are working on a security update," a Microsoft representative said via email. "We continue to encourage customers to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information."

The good news is that websites can protect themselves from being targeted through this vulnerability by using a security header called X-Frame-Options with the "deny" or "same-origin" values, which prevents other sites from loading them in iframes. This was noted by both Folwer and Daniel Cid, the CTO of Web security firm Sucuri.

Unfortunately, this is a recommended security header that very few sites make use of, Cid said via email.


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags securityprivacyMicrosoftonline safetyAccess control and authenticationExploits / vulnerabilitiesTripwireTumblrDeusen

Featured

Slideshows

Looking back at the top 15 M&A deals in NZ during 2017

Looking back at the top 15 M&A deals in NZ during 2017

In 2017, merger and acquisitions fever reached new heights in New Zealand, with a host of big name deals dominating the headlines. Reseller News recaps the most important transactions of the Kiwi channel during the past 12 months.

Looking back at the top 15 M&A deals in NZ during 2017
Kiwi channel closes 2017 with After Hours

Kiwi channel closes 2017 with After Hours

The channel in New Zealand came together to celebrate the close of 2017, as the final After Hours played out in front of a bumper Auckland crowd.

Kiwi channel closes 2017 with After Hours
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP honoured leading partners across the channel at the Partner Awards 2017 in New Zealand, recognising excellence across the entire print and personal systems portfolio.

Meet the top performing HP partners in NZ
Show Comments