Still Use Internet Explorer? The Browser Could Be Leaking Your Search Habits
The current version of Microsoft's Internet Explorer carries a serious security bug that allows malicious websites to read what the user is typing in the URL address bar, leaking both the addresses and search terms.
Internet Explorer bug leaks whatever user types in the address bar
Disclosed by security researcher Manuel Caballero, the flaw essentially enables the website the user is currently visiting to view the text typed in the address bar as the user hits the enter key. This would include the website that user was going to visit after this website. Since Internet Explorer, like several other browsers, can bring up search results when a user types their queries in the address bar, these search items are also up for grabs, potentially leaking sensitive user information and their browsing habits.
The security researcher has shown the exploit in a proof of concept video shared at the end of this post. While the video makes it seem like the user would learn about the malicious website copying their search queries and the next website's address, that has been done on purpose by the researcher. "The attacker can get the URL and let the browser load it," he tweeted. "The demo is interrupting it on purpose."
The security researcher believes that "Microsoft is trying to get rid of IE without saying it," by not making this browser more secure in favor of its latest Edge. "Imagine what black hats can do right now: they can stay in your browser even if you navigate to a different site, which gives them plenty of time to do ugly stuff like mining digital currencies while abusing of users CPUs," he wrote. "Also, IE has its popUp blocker is completely broken and nobody seem to care."
When reached out to Microsoft, the company gave the following statement:
"Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible."
The company has also promised to deliver a security fix via its Update Tuesday schedule. Here's the proof of concept video, and you can also test it yourself by opening up Internet Explorer and going to this site.