Internet Explorer URL Spoofing Threat
From: M. Burnett (mb_at_xato.net)
To: <firstname.lastname@example.org> Date: Fri, 30 May 2003 11:00:30 -0600
Recently I advised Microsoft of a vulnerability in Internet Explorer
that would cause the browser to browse to one web site but display a
completely different URL in the address bar. Due to inconsistent
handling of authentication credentials in a URL, IE will parse the
URL one way when browsing and another way when displaying it in the
address bar. The result is that an attacker could deceive a user by
using a specially crafted URL that will show a real site's URL in the
address bar yet browse to a completely different, perhaps spoofed,
But there's a catch: the URL must be typed or pasted into the address
bar to work; you can't just click on a link. Because of this
limitation, Microsoft decided to not treat this as an urgent issue
and scheduled it for the next service pack. I disagree with that
decision but I understand and respect their reasons for making it.
Unfortunately, that left me to decide whether I should release an
advisory on this or not. While not being able to click on a URL does
make it more difficult to execute this attack, it certainly does not
limit the ability to exploit this. Since many e-mail readers have
trouble converting wrapped URL's into clickable links, all it takes
is a URL in an e-mail that is long enough to wrap, forcing a user to
copy/paste the URL into a browser.
In fact, consider this snippet from an e-mail you get when signing up
for a Microsoft Passport account:
*If clicking a link doesn’t work:
Select and copy the entire, appropriate link.
Open a browser window and paste the link in the address bar.
So it probably isn't that hard to trick a user into pasting a long
URL into IE. In fact, I wonder how many users would fall for this
*For security purposes, DO NOT click on this link. Either paste or
manually type this URL into your browser window.
Microsoft told me that part of their decision was based on the fact
that typing or pasting a URL would give the user more opportunity to
identify the spoofed portion, but that assumption is backwards.
Attacks of this nature are not based on how many users won't fall for
it, but the fact that eventually someone will. Look at the Nigerian
e-mail scam. I get three e-mails a day asking for urgent assistance
and wonder who would ever fall for those. But people do. Even one
percent of a hundred million e-mail users is a lot of people.
So while a clickable link is more convenient, it is my opinion that
it hardly reduces the effectiveness of this attack. On the other
hand, if Microsoft is not going to release a fix at this time, it
would certainly not be ethical of me to release details of the
So this is my advisory: DON'T TRUST THE URL IN THE ADDRESS BAR.
Why is this all so important? Obviously there is the threat of
spoofing a web site. But consider the impact of not being able to
trust a URL. For example, eBay tells users to check the URL in the
address bar to be sure they are logging in using an official login
page (see http://pages.ebay.com/help/new/account_protection.html).
eBay's anti-spoofing strategy completely relies on the assumption
that you can trust the URL in the address bar. But you can't trust
Even using a SSL connection may not be effective. If the spoofed site
had a valid SSL certificate for itself, IE would show the lock icon
in the status bar, indicating that the certificate was valid, even
though not for the URL listed in the address bar. If you clicked on
the icon, it would show a valid certificate, but for the wrong site.
Unless users always make a habit of clicking on the lock icon to
verify the owner of the certificate (which they don't), the lock icon
would actually help the attacker to deceive the user. A valid URL and
a lock icon indicating a valid certificate provide a powerful
While this may seem like a minor issue to some, I felt the it was
important enough to address because:
- Many users trust the URL in the address bar, this issue shows that
the address bar cannot be trusted and no security decision should be
made based on the contents of the address bar.
- The attack can be executed anonymously and on a large scale any
number of ways. Ask any Paypal or eBay how many times they get
e-mails asking them to log in to their account (to a spoofed login
page) through a link or form provided in the e-mail.
- I have found one known form of the attack, yet other forms may yet
be discovered in IE or other browsers. Further, future attacks may be
discovered that are never made public; attacks already exist that are
Without some separate form of verification, address bars cannot be
trusted. They can take input from an untrusted source and can
therefore be exploited. This brings up some interesting issues. As
security in general has improved over the last few years, we have
seen a change in attack trends. We have seen many more attacks on the
average user, attacks that involve the abuse of trust.
Trustworthy Computing is more than fixing your software code, but
coming up with innovative new techniques for establishing and