Recently I advised Microsoft of a vulnerability in Internet Explorer that would cause the browser to browse to one web site but display a completely different URL in the address bar. Due to inconsistent handling of authentication credentials in a URL, IE will parse the URL one way when browsing and another way when displaying it in the address bar. The result is that an attacker could deceive a user by using a specially crafted URL that will show a real site's URL in the address bar yet browse to a completely different, perhaps spoofed, site. But there's a catch: the URL must be typed or pasted into the address bar to work; you can't just click on a link. Because of this limitation, Microsoft decided to not treat this as an urgent issue and scheduled it for the next service pack. I disagree with that decision but I understand and respect their reasons for making it. Unfortunately, that left me to decide whether I should release an advisory on this or not. While not being able to click on a URL does make it more difficult to execute this attack, it certainly does not limit the ability to exploit this. Since many e-mail readers have trouble converting wrapped URL's into clickable links, all it takes is a URL in an e-mail that is long enough to wrap, forcing a user to copy/paste the URL into a browser. In fact, consider this snippet from an e-mail you get when signing up for a Microsoft Passport account: *If clicking a link doesn’t work: Select and copy the entire, appropriate link. Open a browser window and paste the link in the address bar. So it probably isn't that hard to trick a user into pasting a long URL into IE. In fact, I wonder how many users would fall for this one: *For security purposes, DO NOT click on this link. Either paste or manually type this URL into your browser window. Microsoft told me that part of their decision was based on the fact that typing or pasting a URL would give the user more opportunity to identify the spoofed portion, but that assumption is backwards. Attacks of this nature are not based on how many users won't fall for it, but the fact that eventually someone will. Look at the Nigerian e-mail scam. I get three e-mails a day asking for urgent assistance and wonder who would ever fall for those. But people do. Even one percent of a hundred million e-mail users is a lot of people. So while a clickable link is more convenient, it is my opinion that it hardly reduces the effectiveness of this attack. On the other hand, if Microsoft is not going to release a fix at this time, it would certainly not be ethical of me to release details of the vulnerability. So this is my advisory: DON'T TRUST THE URL IN THE ADDRESS BAR. Why is this all so important? Obviously there is the threat of spoofing a web site. But consider the impact of not being able to trust a URL. For example, eBay tells users to check the URL in the address bar to be sure they are logging in using an official login page (see http://pages.ebay.com/help/new/account_protection.html). eBay's anti-spoofing strategy completely relies on the assumption that you can trust the URL in the address bar. But you can't trust it. Even using a SSL connection may not be effective. If the spoofed site had a valid SSL certificate for itself, IE would show the lock icon in the status bar, indicating that the certificate was valid, even though not for the URL listed in the address bar. If you clicked on the icon, it would show a valid certificate, but for the wrong site. Unless users always make a habit of clicking on the lock icon to verify the owner of the certificate (which they don't), the lock icon would actually help the attacker to deceive the user. A valid URL and a lock icon indicating a valid certificate provide a powerful deception. While this may seem like a minor issue to some, I felt the it was important enough to address because: - Many users trust the URL in the address bar, this issue shows that the address bar cannot be trusted and no security decision should be made based on the contents of the address bar. - The attack can be executed anonymously and on a large scale any number of ways. Ask any Paypal or eBay how many times they get e-mails asking them to log in to their account (to a spoofed login page) through a link or form provided in the e-mail. - I have found one known form of the attack, yet other forms may yet be discovered in IE or other browsers. Further, future attacks may be discovered that are never made public; attacks already exist that are not public. Without some separate form of verification, address bars cannot be trusted. They can take input from an untrusted source and can therefore be exploited. This brings up some interesting issues. As security in general has improved over the last few years, we have seen a change in attack trends. We have seen many more attacks on the average user, attacks that involve the abuse of trust. Trustworthy Computing is more than fixing your software code, but coming up with innovative new techniques for establishing and verifying trust. Mark Burnett www.iissecurity.info
This archive was generated by hypermail 2b30 : Sun Jun 01 2003 - 12:59:38 PDT