I don’t know what you search for on the Web in your spare time, but if you’re anything like every other human being on Earth, it’s probably nothing good.
From the embarrassing, to the compromising, to the downright dangerous, a person’s search habits say a lot about him or her — and thanks to a recently revealed bug in Internet Explorer, those habits could say it to all the wrong people. A trivially easy exploit could let an attacker log your searches and URLs simply by luring you to the wrong website.
Manuel Caballero, an Argentine security researcher, discovered the bug and detailed his findings on his blog, Broken Browser. The flaw requires a little know-how to exploit, but the outcome makes it seem almost trivially simple. By fooling Internet Explorer into thinking it’s opening an iframe, Caballero was able to instead turn the address bar into a kind of low-tech keylogger.
MORE: Best Antivirus Software and Apps
You can try the flaw for yourself if you want, or just watch it happen in the video below.
Caballero's proof-of-concept web page lets users type anything they want into the address bar. You can type a full URL, or a Bing search query. Either way, as soon as you hit Enter, the website will stop and redirect you to a simple page explaining that it has “read your mind” and displays your browser's next destination.
"What we get is not the top location anymore, but the location that the browser is going to, or what’s currently written into the address bar," Caballero explained on his blog.
Caballero’s page is nice enough to say that it’s tracking you; a malicious website would probably not be as kind.
Avoiding the bug is easy enough, since — statistically speaking — you probably don’t use Internet Explorer. Microsoft Edge is totally impervious, as are Chrome, Firefox, Safari and other popular browsers.
Even if you’re still on Internet Explorer, though, the bug’s potential mischief seems limited. An attacker would have to lure you to a specific web page, which is admittedly not hard to do.
However, as soon as you navigate to another website, the bug would have no way to follow you. If you close the tab, the bug disappears. Unless you go directly from the compromised website to something salacious, there’s nothing useful that an attacker could glean from you. Frankly, there are easier ways to exploit an unsuspecting user.
Still, the bug is in there, and quite easy to implement. Someone with more malicious intent than Caballero could probably find a way to jury-rig it into something harmful. Ars Technica solicited a comment from Microsoft, which informed the publication that it was working on the problem and would issue a fix in a future Patch Tuesday.
The lesson here isn’t so much that this particular flaw could compromise your computer. Rather, it’s that Internet Explorer is getting pretty outdated, and more and more cracks will appear in its armor as time goes on.
"In my opinion," Cabellero wrote on his blog, "Microsoft is trying to get rid of IE without saying it."
If you haven’t switched over to Edge (or another browser) yet, it’s probably high time.
Image credit: Lucian Milasan/Shutterstock
