Skip to main content

Phishing Hole: Serious Flaw Found in Internet Explorer

A serious bug in Internet Explorer 11 for Windows 7 and 8.1 could let attackers steal people's login credentials and even modify Web pages. Experts say the flaw could also be used to launch convincing phishing campaigns on unsuspecting Web users.

The flaw is a type of cross-site scripting (XSS) bug; carefully written JavaScript it lets attackers bypass what's called the "Same-Origin Policy," a rule of the Internet that prevents websites from being able to modify each other's content. 

It even works if the site uses the more secure HTTPS protocol instead of HTTP, and  the best antivirus software, the best Mac antivirus software or the best Android antivirus apps can't stop it.

To dispel any doubts about its existence, security expert David Leo of British security firm Deusen, who discovered the flaw, created a Web page that safely demonstrates the exploit. Visitors to the site who use IE will see the Daily Mail's homepage in a pop-up window, which then changes to read "Hacked by Deusen."

Leo accomplished this because the exploit let him redirect the window from the Daily Mail's site to his own site, without changing the displayed URL. Even though the browser's address bar still displays www.dailymail.co.uk, a different Web page is actually loading in viewers' browsers.

Pretending to deface a website, as Leo did, is the least that attackers could do with this flaw. They could also steal a website's authentication cookies, which are used to let people sign in to online accounts, thus stealing those people's credentials.

Attackers could also create extremely credible phishing pages that would appear to have a legitimate website's URL. The phishing pages could be crafted to look like a bank's homepage or other important site, and trick people into disclosing important information, or simply contain malware.

Microsoft says that as of now, there's been no evidence that attackers have been using this flaw in the wild. The company also points out that attackers would have to lure targets to their phishing websites in order to exploit it.

On the one hand, exercising some extra caution in your Web browsing could protect you from attacks, but on the other, clever criminals should have little trouble luring people to a well-crafted page.

While new versions of Internet Explorer do have a feature called SmartScreen that is designed to detect phishing websites, it only works with large-scale attacks, not targeted ones.

To avoid attacks using this exploit, simply avoid using Internet Explorer until Microsoft issues a patch. Earlier versions of IE may also be vulnerable, but the latest versions of Mozilla Firefox and Google Chrome are not.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+Follow us @tomsguide, on Facebook and on Google+.