New Internet Explorer Bug

There's a newly discovered bug in Internet Explorer that allows any currently visited website to learn the contents of the address bar when the user hits enter. This feels important; the site I am at now has no business knowing where I go next.

Posted on September 28, 2017 at 2:21 PM • 22 Comments


Douglas CoulterSeptember 28, 2017 4:11 PM

I'd known about this for some time, or at least something like it.
If you have a website as I do, hosted elsewhere, like most websites, the info they give you in reports tells you where people came from.
This is just the flip side of the same thing...not that it's a good thing, but it should have been obvious that it existed/exists for quite a long time.

For ages, if I cared (say I was doing something financial) I would, without exception, use a fresh blank tab or window for that, and only that, closing it and not reusing it when done. Basic computer sanitation IMO. Just like "don't click on random stuff or open things you don't know the trust chain of" basic.

Yeah, like 10,000 (at least) other snoopy things - from super cookies to (OMG if I start a list it'll be too long for the readers...) hidden invisible GIFs or whatever - this is bad. But also pretty predictable and expected.

Cui Bono and "you're the product" should have alerted anyone who cares about opsec - and motivated more people to learn about it.

As it is, people think crypto or a VPN actually hide anything. Hint - your ISP has all the metadata that'll ever be needed to convict you - right or wrong - of anything, regardless. And recently, they won a law that lets them sell what they know about you. Pretty hard to use a different coffee shop every time you need the web, especially where I live (the nearest one is a 45 min drive).

If you've got a secret, talk as much as usual - or more, but about something else, preferably boring. Lyndon Johnson used this to keep the press at bay, the technique works.

Holden URLfieldSeptember 28, 2017 5:09 PM

Referer control.

(, they're an amazon price tracker, I have not 'delved deep' so caveat emptor.)

It breaks some sites, so you need to build a whitelist.

If you're not disabling the capabilities of default websites to track you until they break, IE url-bar data exfiltration is probably the least of your worries.

Also... you're using IE as a browser in 2017? Then you deserve what you get anyway.
It's been untrustworthy since forever and even replaced by a new untrustworthy browser.

Yet just today I came across another 'average' user banking (literally) on IE8.
There's nobody with a megaphone in their face telling them to cut it out.

There should be.

uh, new tab + same old cache/history?September 28, 2017 5:12 PM

"new site, new tab."

Full ctrl-shift-del, quit, verify halted, new process start, new tab.

Even that doesn't get everything. If it takes more than 2 seconds you need a new machine.

MarkHSeptember 28, 2017 5:26 PM

I'm a little shocked to learn this this is classified as a bug.

Since I first learned quite a while ago that browsers disclose an enormous amount of info about their users (probably from something I read on this blog!), I've come to think of them as Yet Another Surveillance Device.

So, I had just _assumed_ that when I type a URL, the previous one might be sent to the new site.

Perhaps, sending this information when clicking a hyperlink is considered a norm, but not when typing a new URL.

That being said, I always disliked this kind of exposure, and certainly share Bruce's antipathy toward browsers doing that kind of thing.

SteveSeptember 28, 2017 5:30 PM

@Bruce: "This feels important; the site I am at now has no business knowing where I go next."

You mean other than Google, of course.

Jim CSeptember 29, 2017 2:20 AM

Re: Douglas Coulter
Referrer you have some legitimacy (ish) to know as a site owner, next URL you have no business knowing.

I think they are pretty distinct and as such it's a significant bug compared to the referrer 'feature'

ultramageSeptember 29, 2017 2:42 AM

To all, this is not a referrer sort of thing. This is an implementation flaw in compatibility mode in IE (only). And you have to write a pretty specific piece of html and javascript to make it happen.

keinerSeptember 29, 2017 3:27 AM

Who uses IE? And cares for privacy?

Who uses Chrome and care for privacy?

Face it: the war is LOST, people shout out on the interweb-thingy what their parents wouldn't have told their best friends. People are dumb. To compensate they have "smart" devices...

SpellucciSeptember 29, 2017 6:10 AM

Whatever happened to responsible disclosure? I didn't see anything in the original article that said Microsoft had been notified and given a chance to fix it.

Clive RobinsonSeptember 29, 2017 8:32 AM

@ keiner,

To compensate they have "smart" devices...

You forgot the punch line of,

    ... Written by dumb people.

But you could change "dumb" for something else like "exploitive" or if it were Chrome "Data stealing scum bag" ;-)

To misquote a song,

Ain't no moral high enough,
Ain't no villainy low enough,
To keep me stealing data from you.

rSeptember 29, 2017 9:16 AM

45 minute drive for the sake of 'anonymous' internet is like running an md5 without salt against a gpu...


You'd do better practicing slight of hand locally than driving tho what you think is an oasis of covfefe.

SnarkSideSeptember 29, 2017 7:19 PM

I've been expecting this. I worry about how much data leaks from data centers when admin users are on a terminal server. Even if it wasn't shared with the current site loaded, it still leaks to the default search provider and public DNS server potentially. Back in my day we typed and we liked it. Nowadays these lazy kids type just the hostname and search, even when they already know the URL. Cntrl + Enter is all the shortcut I need, no fancy search and address combo for me thank you very much.

MikeSeptember 30, 2017 6:55 AM

Important because (a) some urls contain an active session id, and (b) address bar autocompletion from recent history could give a session hijacking opportunity.
Also some saved urls may include the user email address or other account identifiers.

RicardoSeptember 30, 2017 12:07 PM

I can’t believe that in 2017 anyone still uses Internet Explorer. And Chrome was never a good option with its proprietary Google code (most people have never heard of Chromium). So where does that leave us?

Firefox has always been good as the leading open source, pro-security option, but it fell behind in engineering and lost out to Chrome. Mozilla decided to spend too much time and effort acting like a second-rate political commentator rather than focusing on building high quality technology that evolves with the times. Let’s hope they change course with Firefox Quantum and get back in the game.

But it’s Brave that is really setting itself up to change the whole dynamic, and no one else is doing what they’re doing. No one else is really fundamentally addressing the economic issues of the internet in a way that is beneficial to publisher revenue and user security. That’s where the most exciting innovation is happening.

So hopefully between Firefox Quantum and Brave, we can look forward to a better, safer web.

Douglas CoulterSeptember 30, 2017 5:48 PM

@Jim C - I agree in principle, but it's also obvious that if it can be done, and there's money in it, it's gonna be done. If a site can run script in your browser it can record and send back any user action that's in the API for that script language.

My eyes really got opened when I had a house guest who'd worked in the big data biz. She demonstrated what they can do if you simply visit a site she'd prepared as a template for sale to those slurper types of customers. They don't miss much.
If they've got money/resources, as has been discussed here plenty, all manner of de-anonymization or outright buying of data on you can also be added in. If it isn't already hacked and out there free, that is (Experian, Deloite, and others come to mind).
You'd have to be lucky to keep the color of your undies a secret these days.
She was able to find out my bio better than my own memory in not very long, from just visiting a site. Where has that MAC been and when?

Wonder how long it'll take to get that cross referenced with security clearances from OPM and various porn and other leaks etc to find out who is best to blackmail? Already?

@ throwaway
The ISP sees every single bit you send - yes, some might be encrypted. But then then your packets have to have a destination address, don't they.
So they know how much, when, and where the next landing was. Someone with resources and access to the next hop can continue the trace. The long arm of the alphabet agencies is, um, long. If they want you, they got'cha. As has been demonstrated a ton of times, crypto isn't a magic secret sauce, there are flaws in implementations, opsec, and some has probably been cracked and not reported by the crackers who stand to gain more as things stand.

What amuses me as an early author of what we thought of as some really good audio editing code you could use to create fake vocal audio so good god couldn't tell it was fake - is that now the same thing exists for video too. So they actually don't need those pics of your pedophile activities anymore (for example, just pick something everyone hates) - they can just make them up and put them on "your" machine or other storage device.
This should of course render all audio and video evidence inadmissible, as anyone with resources can create anything whatever. Bu the law was always about just-us and those with resources generally win, right or wrong (and I'm speaking as one who has been on the winning side of that one). For stills, there was some development of a "photoshop detector" as well - so all the "bad guy" needs is a copy so he can adjust his technique till his fakes pass...just a matter of willingness to expend the effort.

Traffic analysis, metadata, is all that's really needed, and by golly it's already like sipping from a fire hose. So your ISP, even with a VPN, reveals plenty.

Example from "Hunt for Red October" is telling, old, and there's more to it than that, but my fingers would get tired with more:

Listening to the Russian fleet, there's the usual jabber, some encrypted, as always - guys talking about operations so ships don't collide, who needs fuel, who is gonna get laid at port, and so on.

An encrypted message comes along, probably from a shore source.

The entire fleet goes quiet, and every power plant starts burning full power, as seen by satellite.

You think any analyst worth the name would not know immediately that something unusual was up in that case, and start looking hard instead of going back to the coffee and doughnuts?

Your comm probably isn't as dramatic as that, and yes, it's by far easier to look backwards in time after some event has occurred and see what traffic might have led up to it. This of course also ensures that your innocent traffic, which stands out like a red flag to a bull, will be closely examined anytime something exciting happens (terrorism) also.
This reduces vastly the effort required as now only a few suspect messages need to be 'cracked' perhaps, and that takes fewer resources. This is perhaps why in an interview with Snowden by Bruce that as soon as Snowden started to mention "at scale" the subject got changed very fast.

Douglas CoulterSeptember 30, 2017 5:56 PM

And speaking of going backwards, this is how the SEC busts all the minor insider trading and other infractions (major ones never get jailed for some reason - Free John Corzine!).

If some event happens, all they have to do is look for who bought tons of options that would make money on that event, just before (which is cheaper - more leverage - than buying or shorting stocks directly). Doesn't take much shoe leather after that to get your guy - especially if:
1. there aren't that many sudden big trades in that issue
2. the person in question doesn't do this every day, so even within his own trades this stands out.
3. It's easy to find out "who knows who"...

You just need a trigger to know where to begin to look.

vvp39October 2, 2017 12:03 AM

"Also some saved urls may include the user email address or other account identifiers."

One example: notifications of payment by the buyer to the seller on ebay.

AnselmOctober 2, 2017 5:51 AM

I wonder, having been an Amazon customer for years, if Amazon really does know everything about me, then why do they always advertise either expensive stuff I literally just bought through them (where almost nobody would immediately require another specimen) or else stuff that I never actually end up buying? If that is “big data” anticipating customers' desires it seems to be wildly overrated as to its predictive powers.

AnonOctober 3, 2017 9:59 PM

@Anselm: This is the problem with "big data", and public perception. The execution and use of the data seems rather simple, almost incompetent at times, but the fact of the matter is they have a whole lot more, and only need someone who knows how to search through it all to jump from a terabyte of junk, to a goldmine for .

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.