An Internet Explorer vulnerability lets attackers bypass the Same-Origin Policy, a fundamental browser security mechanism, to launch highly credible phishing attacks or hijack users' accounts on any website.
The flaw, described as a universal cross-site scripting vulnerability, was disclosed Saturday on the Full Disclosure mailing list by David Leo, a researcher with a security consultancy firm called Deusen. Leo's post included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target.
When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the site's content is replaced with a page reading "Hacked by Deusen."
The rogue page is loaded from an external domain, but the browser's address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks.
Instead of dailymail.co.uk, an attacker could use a bank's website and then inject a rogue form asking the user for private financial information. Since the browser's address bar would continue to display the bank's legitimate domain name, there would be little indication to the user that something is amiss.
The attack also works if the targeted site uses HTTPS (HTTP with SSL encryption), according to Joey Fowler, a senior security engineer at Tumblr, who confirmed the vulnerability in a response to Leo's original post.
Fowler found "quirks" testing the vulnerability, but concluded that the attack "most definitely works."
"It even bypasses standard HTTP-to-HTTPS restrictions," he wrote.
What's worse is that the Same-Origin Policy (SOP) is bypassed. This is a security mechanism that exists in all browsers to prevent code from one website that is loaded in an iframe in a different website to manipulate the content of that site, or vice versa.
For example, without this security boundary, site A could read the authentication cookies of a user logged into site B when that user visited site A. Authentication cookies are identifiers that websites set in browsers in order to remember authenticated users. If copied into another browser, these cookies can automatically grant access to the accounts they correspond to.
This IE flaw has the same effect as cross-site scripting (XSS) vulnerabilities, which typically allow attackers to steal cookies and display rogue content on vulnerable sites by injecting rogue content through their URLs. The Internet Explorer vulnerability renders all sites vulnerable to XSS, which is why Leo called it an universal XSS.
"Universal XSS is a browser flaw which would allow an attacker to execute script content in the context of any site regardless of a pre-existing flaw on the website," said Craig Young, a security researcher at Tripwire, who also analyzed the published exploit. "Successful exploitation of a universal XSS bug requires only that an attacker can entice a victim to load a malicious site. This could be in the form of malvertising, phishing, or even comment spam."