Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • BleepingComputer: Internet Explorer bug lets a web site see what you type in the address box

    Posted on September 27th, 2017 at 11:24 woody Comment on the AskWoody Lounge

    So you’re sitting on web site somesnoopingsite.com

    And you type something in the address bar. Say, “morbidity analysis of deprecated hamburgers.” You hit enter or click the “search” button.

    The site you’re sitting on, somesnoopingsite.com, can see that you typed “morbidity analysis of deprecated hamburgers.” And it can collect that information before you’re transported to your search results.

    It ain’t supposed to work that way.

    More gifts that keep on giving, from Internet Explorer.

    Great article from Catalin Cimpanu on BleepingComputer.

    If that helped, take a second to support AskWoody on Patreon

    Home Forums BleepingComputer: Internet Explorer bug lets a web site see what you type in the address box

    This topic contains 0 replies, has 21 voices, and was last updated by  woody 1 day, 9 hours ago.

    • Author
      Posts
    • #134452 Reply

      woody
      Da Boss

      So you’re sitting on web site somesnoopingsite.com And you type something in the address bar. Say, “morbidity analysis of deprecated hamburgers.” You
      [See the full post at: BleepingComputer: Internet Explorer bug lets a web site see what you type in the address box]

      3 users thanked author for this post.
    • #134456 Reply

      Microfix
      AskWoody Lounger

      An attempt to get more W10 users off IE11 and onto Edge?
      ‘Feature not a bug’ springs to immediately mind.

      | 2 PC W8.1 Pro x64 | | 2 PC Linux Hybrids x64 | | 1 PC Windows XP Pro x86 (offline) |
        No problem can be solved from the same level of consciousness that created IT - AE
      • #134459 Reply

        Cybertooth
        AskWoody Lounger

        I wouldn’t put anything past them any more.

        The BleepingComputer piece doesn’t specify, but it sounds like this would apply to IE on any version of Windows.

        Drat — another reason to move away from IE. That’s too bad, because to me the way IE organizes Favorites is much simpler and easier to understand than Firefox’s way.

        2 users thanked author for this post.
      • #134476 Reply

        krzemien
        AskWoody Lounger

        ‘Feature not a bug’ – exactement!

    • #134460 Reply

      EstherD
      AskWoody Lounger

      Not to put too fine a point on it, but… Personally, I have never trusted any browser to maintain proper isolation under such circumstances. Consequently, I always begin new activities with a blank page or tab, and I encourage others to do likewise.

      1 user thanked author for this post.
      • #134503 Reply

        MrBrian
        AskWoody MVP

        From http://www.brokenbrowser.com/revealing-the-content-of-the-address-bar-ie/: “For example, right now all IE users can be turned into bots with the zombie script bug (which has been public and unpatched for months). If you don’t think it’s important, then imagine what black hats can do right now: they can stay in your browser even if you navigate to a different site, which gives them plenty of time to do ugly stuff like mining digital currencies while abusing of users CPUs.”

      • #134539 Reply

        rc primak
        AskWoody Lounger

        You would actually have to clear your browser history before typing anything new into Search or the Address Bar. I have the HotCleaner Click and Clean extension so I can do this if I so desire, or if Chrome starts to slow down.

        -- rc primak

    • #134464 Reply

      Kirsty
      AskWoody MVP

      This sounds a bit like the issue highlighted in June, where Navistone was able harvesst data typed into website forms before the user hit Submit. The twit.tv discussion on the issue was posted in Code Red – Security alerts: https://www.askwoody.com/forums/topic/before-you-hit-submit-this-company-has-already-logged-your-personal-data/

    • #134466 Reply

      Noel Carboni
      AskWoody MVP

      Why would I want to type a search string into the address bar?

      It’s possible to introduce, through a 3rd party open source add-on (Quero Toolbar), a separate search box. I’ve been using IE like this for years. It’s much better, IMO:

      ScreenGrab_NoelC4_2017_09_27_150702

      This is just another in a long line of good reasons not to repurpose an address box as a search box. Addresses and search terms are apples and oranges.

      -Noel

      Attachments:
      You must be logged in to view attached files.
      2 users thanked author for this post.
      • #134484 Reply

        anonymous

        Now I’m thinking of the mobile browsers for cell phones we use; Firefox also will let people search by using the address bar now and will remove the separate box in two months time. Now is the time to be looking for something else…

    • #134470 Reply

      Jan K.
      AskWoody Lounger

      I don’t get it… as a website owner, hasn’t I always been able to see where my customers go, when they leave me? Through the webserver’s log system, I mean.

      And I’m one of those using the address bar… like it a lot! 😛

      Keeps IE header small and everything on one line….

      1 user thanked author for this post.
    • #134472 Reply

      samak
      AskWoody Lounger

      “Condition one: Attackers can hide malicious HTML object tags in hacked sites or load it via ads…”

      Keeping my ad blocker on!

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

      1 user thanked author for this post.
    • #134473 Reply

      JohnW
      AskWoody Lounger

      People still use IE11 after all the holes that have been found?

      There is a reason Microsoft decided to end it, instead of fixing it.

      • #134490 Reply

        Noel Carboni
        AskWoody MVP

        There are actually very few “holes” in IE once you’ve reconfigured the security settings to be tight. Thing is, Microsoft developed it to work in a utopian world where you don’t have malicious web sites trying to load malware or other nefarious things into your computer.

        One nice thing that IE provides that few folks notice or take advantage of is the ability to DE-configure a lot of that promiscuity, so that it just won’t run things from the wild internet. There are literally pages upon pages of settings in IE that can allow you to lock many things down, and generally with few downsides! The nice thing about IE is that you can configure different settings for the Internet Zone and for your Trusted Sites zone, so conceivably you can add your bank or enterprise web site to your Trusted Sites zone and still have everything else from the wild internet locked down.

        With the settings locked down I’ve used IE for decades without contracting any infections whatsoever. It’s a good browser because Microsoft actually HAS worked on browser security for quite a long time. Don’t forget, IE was the most used browser up to a few years ago.

        With regard to this particular bug… With my settings I cannot be bitten by this bug. Instead, I only see:

        ScreenGrab_NoelC4_2017_09_27_171609

        Beyond that…

        As poster “Jan K.” has stated, web sites have been able to track where you’ve been because browsers will happily disclose data about the last visited URL you’ve come from.

        Not to mention the fact that what you type in the address or search boxes usually (with default settings in most browsers) is sent abroad keystroke by keystroke. How do you think the system makes suggestions about what you might want to search for while you’re typing? I de-configure that stuff too. It’s not hard to imagine someone intercepting those packets – they’re not encrypted.

        I suggest these things:

        1. Review the advanced settings your browser offers, strive to understand what they do, and deconfigure the ones that open you up to potential problems. The defaults are often too permissive because they give you access to the most glitz.

        2. Consider adding some form of ad and tracking blocking/blacklisting such as uBlock Origin, firewall, or DNS proxy.

        3. No matter what software you’ve chosen or what security layers you have in place it would be best to not get too comfortable thinking that what you type into any box of a web browser is private.

        -Noel

        Attachments:
        You must be logged in to view attached files.
        7 users thanked author for this post.
      • #134494 Reply

        Noel Carboni
        AskWoody MVP

        By the way, from what I can see Microsoft Edge has removed a LOT of that essential configurability I mentioned. I only tested it briefly, so I don’t know whether the defaults are more restrictive than those of IE. I do know it doesn’t run ActiveX.

        It figures that Microsoft would trim off the essential parts to dumb things down.

        For what it’s worth I’m currently evaluating Pale Moon with uBlock Origin (and of course after a review of all settings) as a potential IE replacement. I don’t plan to add other add-ons after uBlock. So far, considering the other security layers I have, I’ve not found anything really more or less secure about it than the configuration I had with IE. It seems to work acceptably well.

        -Noel

        4 users thanked author for this post.
        • #134502 Reply

          DrBonzo
          AskWoody Lounger

          @Noel Carboni

          I, too, am interested in Pale Moon and other browsers that aren’t ‘mainstream’. But it seems many (most?) financial institution websites only support Chrome, Firefox, IE, and Edge. And it gets worse if you are using something like Ubuntu. Do you have some way of dealing with non-support of Pale Moon by banks, etc?

          • #134506 Reply

            Cybertooth
            AskWoody Lounger

            @drbonzo, I’m not Noel  😉  but I do use PM. Typically (not always), the website interprets PM as “Firefox”, so you might be OK visiting your bank’s site with it. I haven’t run across problems of that kind while using Pale Moon.

            2 users thanked author for this post.
            • #134555 Reply

              Noel Carboni
              AskWoody MVP

              I do use PM. Typically (not always), the website interprets PM as “Firefox”, so you might be OK visiting your bank’s site with it. I haven’t run across problems of that kind while using Pale Moon.

              Likewise, I’m seeing a fair bit of compatibility, since Pale Moon is derived from a FireFox source set. The apparent philosophy of the product, centering on simplicity and privacy, seems to match my goals pretty well. Browse to site xxxxx.yyy and you don’t see it access a whole bunch of other sites, just xxxxx.yyy.

              Note the setting I’ve highlighted here in the PM preferences:

              ScreenGrab_NoelC4_2017_09_28_104627

              I’ve found so far, in a few days of testing, that Pale Moon + uBlock Origin is allowing almost no bad sites to get to my next layer of security (DNS proxy with custom blacklists). That’s a Good Thing.

              -Noel

              Attachments:
              You must be logged in to view attached files.
              3 users thanked author for this post.
          • #134512 Reply

            satrow
            AskWoody MVP

            I’m not Noel either 😉

            The biggest problem with some financial sites is that they’re not secure enough; if you access them with a relatively old and insecure browser version, they will drop their security to match, yet they often don’t follow best practices and cut off supply for those browsers that are stuck using old and vulnerable protocols, etc. This can leave your connection open to abuse via ‘man in the middle’ attacks etc.

            Check all servers you have something of value on using Qualys SSL test: https://www.ssllabs.com/ssltest/index.html it will pinpoint almost all current security issues. This data could then be used to temporarily lower Pale Moon’s default security to match the best your financial server has to offer; there’s an Add-on to help with this, Pale Moon Commander: https://www.palemoon.org/commander.shtml

            To enable connections to the vast majority of sites and get the ‘real’ content supplied, there are three basic User Agent Compatibility Mode switches as standard: Native, Gecko and Firefox.

            If these fail, an added line in about:config will allow you to use a recent (or older!) standard User Agent to connect; there are already a number of sites that have overrides preset (none are banking sites), so you could use one of those in the format: New String name “general.useragent.override.sitename.com“, changing the sitename.com to the address of the server that’s playing hard to get; the value needed might be something like “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.9) Gecko/20100101 Firefox/52.9 (Pale Moon)”. Typing “general.useragent.override” in about:config’s search pane will show you those values.

            Pale Moon Commander can also be used to modify a number of other security/privacy and other settings, maybe even some that Noel would approve of ;).

            7 users thanked author for this post.
          • #134535 Reply

            wdburt1
            AskWoody Lounger

            Epic Privacy browser works well with online trading sites.

            2 users thanked author for this post.
    • #134479 Reply

      Canadian Tech
      AskWoody MVP

      After about 20 years being a dedicated IE fan, I am now using Chrome. I am gradually phasing out of IE and have advised my clients to do the same.

      Everything Microsoft touches it turns to bad smelling waste.

      CT

      2 users thanked author for this post.
      • #134538 Reply

        rc primak
        AskWoody Lounger

        Hasn’t Chrome allowed this and much more snooping for all the time it has existed? How do folks figure that Chrome is more private than IE?

        As for the other post suggesting using an ad blocker — AFAIK no ad blocker or script blocker would have prevented this type of snooping. Someone correct me if I am wrong.

        -- rc primak

    • #134480 Reply

      Seff
      AskWoody Lounger

      It’s never occurred to me not to use an address bar for a search entry. It’s neat, simple, and intuitive. However, if there are good reasons for not doing so, then perhaps a brief article explaining that would be a useful thing? I’m sure that 99% of amateur users (and quite a lot of professional users if not most of them) use the address bar for search entries and would benefit from having it explained to them if there’s a problem with it.

      However, it’s long occurred to me not to use IE. I keep IE11 updated purely because Windows 7 and some applications rely on it in various ways and it’s a recommended security measure, but I only ever use it if I have a problem accessing a site with Chrome and want to check whether it’s a Chrome issue or not. That happens like once or twice a year.

      2 users thanked author for this post.
    • #134500 Reply

      Cybertooth
      AskWoody Lounger

      With regard to this particular bug… With my settings I cannot be bitten by this bug. Instead, I only see:

      Noel, which specific IE setting prevents exploitation of that bug? Is it the one about whether to run ActiveX scripting automatically? Something else?

       

      • #134559 Reply

        Noel Carboni
        AskWoody MVP

        Noel, which specific IE setting prevents exploitation of that bug? Is it the one about whether to run ActiveX scripting automatically? Something else?

        That’s a fair question, and I haven’t looked into the specifics. One of several settings could be involved:

        1. I deconfigure ActiveX entirely, and that’s what usually leads to the “An add-on failed to run” messages. However, I did not see an ActiveX specified in the target page.

        2. I have disabled many add-ons in IE’s “Manage Add-ons” section. Most folks don’t realize that add-ons – even those from Microsoft – aren’t needed to successfully browse web sites. This is what I have set up currently there:

        ScreenGrab_NoelC4_2017_09_28_105821

        3. I also reduce what scripts can do, so one/some of the general settings I have for the Internet Zone might be blocking this particular exploit:

        MyIESettings

        4. Just for completeness, here are my advanced settings.

        MyIEAdvancedSettings

        Please question anything you see here that you don’t understand or which seems wrong. There are a lot of settings! I believe I have them in pretty good shape but I’m only human and may have missed something.

        -Noel

        Attachments:
        You must be logged in to view attached files.
        3 users thanked author for this post.
        • #134574 Reply

          Cybertooth
          AskWoody Lounger

          Wow Noel, what a thorough reply! [thumbs up]

          You gave me some work to do comparing my IE security settings to yours, but right away I can say it was interesting to see that you have disabled most of Microsoft’s own built-in extensions.

           

          • #134615 Reply

            Noel Carboni
            AskWoody MVP

            right away I can say it was interesting to see that you have disabled most of Microsoft’s own built-in extensions.

            I have this philosophy that kind of goes like this:

            What Microsoft did a long time ago is pretty good, and got nice and mature through years of patching. So deconfiguring “modern” things from their OSs and applications seems a good idea.

            In practice I have found it to be true all along. I tend to stick with more “old fashioned” core functionality and shun the newest stuff, and lo and behold Windows just becomes a more solid, reliable workhorse.

            -Noel

            2 users thanked author for this post.
        • #134645 Reply

          Bob99
          AskWoody Lounger

          Nice settings, I tweaked a couple of mine to improve security a bit. However, you may have “missed” one.

          Under Security in the Advanced Settings tab, the setting for “Block unsecured images with other mixed content” I have the setting checked, whereas you don’t. I’ve had it checked ever since finding out about web beacons used for tracking you even with the “do not track” beacon on full blast. The unsecured images setting kills a great number of these little 1×1 pixel beacons if you’re not running some sort of ad or tracking blocker add-in to IE or other browsers. Further, if I’m on a secure page using https, then as far as I’m concerned, the whole page should be delivered securely or I’m not using it, PERIOD. That’s why I also have enabled the blocking of mixed content in Firefox as well…what I see should be secure if I’m on an https page or forget it, I’m not using it.

          This policy has served me well for a good number of years. Kept a load of junk-ware off my computer, but with the help of other items I also use in a layered approach.

          1 user thanked author for this post.
          • #134666 Reply

            Noel Carboni
            AskWoody MVP

            you may have “missed” one.

            The unsecured images setting kills a great number of these little 1×1 pixel beacons if you’re not running some sort of ad or tracking blocker add-in to IE or other browsers.

            Thanks. I do have ad and tracking blocking through an uncommon DNS proxy setup that uses blacklists with tens of thousands of sites and domains, but I will change that setting and see if anything looks different. I notice, for example, that PayPal tries to put up a 1×1 transparent pixel here on AskWoody.com.

            This is why I love this site… I’m continually learning new things. Thanks again!

            -Noel

            • #134679 Reply

              Bob99
              AskWoody Lounger

              However, since the aforementioned setting only blocks unsecured images in mixed content environments, it shouldn’t block the little 1×1 clear pixel on this site from PayPal, as it comes from a secure (https) site.  🙁

              1 user thanked author for this post.
            • #134711 Reply

              Noel Carboni
              AskWoody MVP

              However, since the aforementioned setting only blocks unsecured images in mixed content environments, it shouldn’t block the little 1×1 clear pixel on this site from PayPal, as it comes from a secure (https) site.

              Exactly right, IE still requests that one pixel image, yet I’m finding uBlock Origin on Pale Moon DOES somehow detect and block it.

              I have actually used PayPal to pay for something, so the additional smarts in uBlock Origin are apparently able to detect the specific request and trash it without destroying access to PayPal in general.

              -Noel

            • #134680 Reply

              Bob99
              AskWoody Lounger

              Ok, here we go again! I just had an earlier reply to Noel’s post #134666 swallowed up by the system. My reply was post number 134679. It deals with the clear pixel that PayPal has on this site. It would be nice to get it “resurrected” from the accidental “trash bin” and re posted here where it belongs.

              Thanks in advance!

            • #134682 Reply

              PKCano
              AskWoody MVP

              The site is still not functioning properly. Your reply was not swallowed up.

              The problem lies in the fact that there may be a 30 minute delay between the time you submit your reply and the time it shows up in the thread. BE PATIENT. It is not lost.

              • This reply was modified 2 weeks, 4 days ago by  PKCano.
              2 users thanked author for this post.
    • #134530 Reply

      Sam
      AskWoody Lounger

      So why is anyone still using Internet Explorer?  Woody has been telling us for ages not to use it. Thats like going to the Doctor and saying I dont have to do what he says because I know better.

      2 users thanked author for this post.
      • #134544 Reply

        Jan K.
        AskWoody Lounger

        I’ve always found it to be very quick, never had any safety issues despite the “darker” places I visit… but most important for me is the way it handles and let me organize bookmarks.
        Haven’t found any “better” browser in this regards, so that’s why I cling on the IE11…

         

        1 user thanked author for this post.
      • #134566 Reply

        Noel Carboni
        AskWoody MVP

        So why is anyone still using Internet Explorer? Woody has been telling us for ages not to use it. Thats like going to the Doctor and saying I dont have to do what he says because I know better.

        I believe people have been put off from using IE because it’s configured to allow way more than it should by default, and thus has been the vector for many attacks. It was the default and pre-eminent Windows browser for a long time. It also embraces compatibility like no other – it literally has all the logic for all the prior versions going way back still in it. Being the most used and most flexible, a lot of attacks were developed for it.

        Frankly going through and understanding the several hundred available settings to change that situation is something only a geek (like me) could love.

        People writing for the masses (e.g., Woody) generally advise against using it. But that doesn’t preclude thinking for yourself. If your doctor told you to drink poison (e.g., by accident), I should hope you’d use your common sense and avoid doing so.

        IE actually does have some advantages, especially when locked down with non-default settings (see my post somewhere up above). The security model actually makes it possible to carefully control what’s allowed and what’s not. And when not burdened with add-ons it’s actually quite fast to start up and navigate (I can’t sense a time delay between double-clicking the icon and seeing my home page, for example; it is no more than a tiny fraction of a second).

        With 41 years experience doing computer and software engineering, and with security layers added to my systems that blacklist bad sites, I chose to use IE. It’s still perfectly functional for me, but I do see the writing on the wall with Microsoft choosing to leave it behind, so I have been evaluating Pale Moon (a FireFox derivative).

        Most folks don’t have the security layers I have, and many don’t have the expertise to set them up, but adding something like uBlock Origin (which can’t work with IE) to your browser is a great start and it’s fairly easy to use and maintain. It just keeps your browser from visiting tens of thousands of bad web sites, but lets the content you want to see through.

        -Noel

        2 users thanked author for this post.
    • #134593 Reply

      samak
      AskWoody Lounger

      The Epic Privacy browser was mentioned further up this thread. It sounds quite good to me. Does anyone on here use it or know about it?

      W7 SP1 Home Premium 64-bit, Office 2010, Group B, non-techie

    • #134601 Reply

      anonymous

      I don’t get the person above who talked about reading forum data that’s not been submitted yet. That’s always been possible with JavaScript. The forum data changes properties on the DOM, and a website can open up a connection behind the scenes to send that data back. In fact, that is how forms that autosave (e.g., Gmail’s compose window) work. It just has to adhere to the same origin policy.

      Is that the issue? That an ad could read the forum data from another part of the page, and send it back, rather than it having to be the same origin as the form?

    • #134598 Reply

      anonymous

      Please, excuse my probably naive question: Is this a problem only when using the address bar, or also when using the search one?

    • #134454 Reply

      anonymous

      And the question is, Why would anyone still be using Internet Explorer?

    • #134496 Reply

      anonymous

      Well, ActiveX shouldn’t be enabled anyway. Whatever, I was not able to reproduce even with ActiveX enabled. No idea how this guy made it work in the video. Maybe Windows 10 is not affected?

    • #134482 Reply

      anonymous

      Seff, actually, the vast majority of users of IE don’t even know there is an address bar.  You would be surprised how many people find a web page by typing an address into a Google search box on the main Google page, or Yahoo.

      In fact, the vast majority of my clients have never even thought of doing a search in the IE address bar.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: BleepingComputer: Internet Explorer bug lets a web site see what you type in the address box

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information: