(LiveHacking.Com) – A new Cross Site Scripting (XSS) vulnerability has been found in IE 11. According to an email sent by David Leo, a researcher with information security company Deusen, to the Full Disclosure mailing list, the vulnerability can allow an attacker to steal anything from a third party domain, and likewise inject anything into a third party domain.
Deusen has also posted a proof of concept which injects the words “Hacked by Deusen” into a third party website, in this case dailymail.co.uk. The disclosure is for Internet Explorer 11 on Windows 7, however I have tried it on Windows 8.1 and the vulnerability is present.
The way the PoC works is once the web page has been opened you need to click on a dialog box to proceed. Then a second window opens showing the dailymail.co.uk website, after a few seconds the contents of dailymail.co.uk are replaced with the hacked message. In a real world scenario the injected code would do something more malicious.
Since IE still shows that the domain is dailymail.co.uk users can be easily tricked into giving up usernames and passwords, or other private information. Imagine if the attacker used paypal.com rather than dailymail.co.uk.
However, phishing isn’t the only worry. The vulnerability also means attackers can access existing authentication cookies. This means that an attacker can masquerade as an already authorized user.
According to Joey Fowler, a Senior Security Engineer at Tumblr, the vulnerability allows hackers to bypass standard HTTP-to-HTTPS restrictions. “It looks like, through this method, all viable XSS tactics are open!” he wrote.
Joey also asked if Microsoft had been informed. David Leo confirmed that Microsoft was notified on Oct 13, 2014. In a statement to iTnews, Microsoft said that there were no known cases of this vulnerability being exploited in the wild. Microsoft is working on a fix.