Microsoft’s Internet Explorer (IE) 6 and 7 suffer from a security flaw in the browser’s AutoComplete feature that could lead to information disclosure, Jeremiah Grossman, founder and chief technology officer of web application security firm WhiteHat Security, said Thursday at the Black Hat conference in Las Vegas.
The issue is similar to a flaw affecting Apple’s Safari browser that was patched on Wednesday. By abusing the HTML form AutoComplete functionality in IE 6 or 7, a malicious website may surreptitiously obtain a user’s name, web aliases, addresses, telephone numbers, credit card numbers, place of work, job title, search terms, secret questions and answers, Grossman said.
IE versions 8 and 9, which is due out in September, are not affected. Also, the AutoComplete form feature is not enabled by default in IE 6 and 7, so a user would have to manually turn on it on by clicking “yes” when the browser prompts them to do so during the attacks.
“Microsoft has been investigating the issue described in Jeremiah Grossman’s talk at Black hat on Thursday,” Jerry Bryant, group manager of response communications at Microsoft said in a statement. “In addition, Microsoft was pleased that Grossman noted that Internet Explorer 8, the latest version of our browser, is not vulnerable to this issue.”
Meanwhile, users who have applied Apple’s patch for Safari 4 and 5 to fix that browser’s auto-fill issue still could be at risk, Grossman said.
“All the bad guy would have to do is mass distribute their auto-complete code, like on an advertising network or a series of malware-infected pages, obtain their victims’ personal information (name, email, address, etc.) and cookie them with an ID (i.e. domain = http://whoisthisperson/%29,” Grossman wrote in a blog post Thursday. “When the person returns, even in a patched or feature disabled state, their browser (or the cookies within) would silently give up their identity.”
Unless users of the affected browsers “go out of their way” to delete their cookies, they could be susceptible to attacks that take advantage of the feature, Grossman said. However, there currently is no evidence that attackers have launched any real-world exploits.
To mitigate the risks of this threat, users should upgrade to IE 8, Google’s Chrome or Mozilla’s Firefox, Grossman said. IE users who cannot upgrade to version 8 should disable the AutoComplete feature in forms.