Address bar spoofing flaw in Internet Explorer


Yorick Koster, August 2004

Abstract


An address bar spoofing flaw has been discovered in Internet Explorer. Using this flaw it is possible for attackers to 'hide' the actual location of the website the target user is currently viewing. Doing so may trick the target user into supplying the attacker confidential information, for example credit card numbers.

Tested versions


This issue has been tested on Internet Explorer 6 SP1 (Windows 2000) with the latest security patches (July 2004) applied.

Fix


This issue was addressed by MS06-021.

Introduction


In JavaScript, it is possible to temporarily pause the executing of JavaScript code using dialog boxes. When loading a page in the same frame/window as a page that is waiting for the user to close a dialog box, Internet Explorer waits until the user does so. After this, Internet Explorer starts rendering the new page. For example:

<script type="text/javascript">
   var w = window.open('javascript:alert(\'Hello World!\');', '_blank');
   setTimeout('w.location.href="http://www.akitasecurity.nl"', 100);
</script>


This example will open a new window and sets its location to javascript:alert('Hello World!'); this causes the new window to display a dialog box. After this, we'll try to load another page in this window. Under normal conditions, Internet Explorer will start to render the new page after the user clicks on the OK button.

Address bar spoofing


It appears that certain character encodings can be used to load a new page in a frame/window, even if this frame/window is currently waiting for the user to close a dialog box. At the moment, the Google website uses such a character encoding in its HTML documents. The Google website has the following meta tag in its document header:

<meta http-equiv="content-type" content="text/html; charset=UTF-8">

Example:

<script type="text/javascript">
   var w = window.open('javascript:alert(\'Hello World!\');', '_blank');
   setTimeout('w.location.href="http://www.google.com"', 100);
</script>


If we are using a vulnerable version of Internet Explorer, we can see (in the example above) that the Google website may be rendered by Internet Explorer before we press the OK button. What is even more interesting, is the fact that the address bar is not changed.

Note, a message about this behavior was posted to the Bugtraq mailing list on January 22, 2005.

Phishing


The above example is not very useful since the address in the address bar probably does not convince someone to enter confidential information in this page. However, if we can find a website that generates a dialog box, than we can replace that site with a custom page that is under our control. The address bar will still show the location of the original website. This technique can for example be used in phishing emails.

The difficult part of this vulnerability is to locate such a website. Lots of websites contain client side scripts for validating data in forms, however most of these scripts cannot be triggered without user interaction (i.e. from a remote location). Therefore, exploitation of this issue is not easy. The example below demonstrates this issue using the website security.nl a well-known Dutch security website. The registration form on this website generates an alert when someone submits invalid data.

<script type="text/javascript">
   function example_3()
   {
      setTimeout('window.open(\'index.html\', \'example_3\');', 3000);
   }
</script>
   
<form method="post" action="http://www.security.nl/aanmelden" onsubmit="return example_3();">
   <input type="hidden" name="email" value="">
   <input type="hidden" name="email" value="">
   <input type="hidden" name="news" value="0">
   <input type="hidden" name="hideanon" value="0">
   <input type="hidden" name="store" value="1">
   <input type="submit" value="Example 3">
</form>


Spoofing and HTTPS


It appears that if we execute this attack against websites that are served over a secure channel (HTTPS), the certificate of the target website is also not updated. This is demonstrated in figure 1 and figure 2, in which we can see that the address bar and certificate details are of the ING Bank website, but the content is that of ABN AMRO.


Figure 1: address bar spoofing of ING Bank


Figure 2: certificate spoofing of ING Bank