Internet Explorer Bug Leaks Whatever You Type In the Address Bar

The latest version of Internet Explorer has a bug that leaks the addresses, search terms, or any other text typed into the address bar. The flaw was disclosed Tuesday by security researcher Manual Caballero. Ars Technica reports: The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn't intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services. The proof-of-concept makes it transparent that the attacking website is viewing the entered text. The hack, however can easily be modified to make the information theft completely stealthy. A proof-of-concept site shows the exploit in action.

Internet Explorer?

[DontBeAMoran]

Haven't Microsoft users switched to Edge by now?

Re:

[Zaelath]

There's still a lot of shit that works in IE but not in Edge...

Re:

[Slashdot Junky]

Plus, in my opinion, Edge makes for horrible user-experience.

Irrelevancies aside, SW non-freedom is the issue

[jbn-o]

Is this some question rooted in making sure future privacy leaks happen faster, in a more standards-compliant way, with a different web rendering engine, or some other technocratic detail that tries to obscure the underlying non-freedom problem?

Since when would the non-free Edge browser be more trustworthy than the non-free Internet Explorer browser?

The problem is the lack of software freedom; even users skilled and willing to help themselves and others fix the problem are not given permission to know what

Re: Irrelevancies aside, SW non-freedom is the is

[cyber-vandal]

You can look at the source fuckwit thatâ(TM)s how.

Re:

[that this is not und]

And you then submit your patches where??

Re:

[AC-x]

It's been over 25 years and FOSS hasn't solved the issue of computer security either; Open source browsers and OSs also require regular security patches.

Re: Irrelevancies aside, SW non-freedom is the iss

[Anonymous Coward]

"Many eyes make all bugs shallow" was pretty much debunked when OpenSSH was breached a few years ago. The code was open but only 4 eyes were looking at it.

For as large as the OSS crowd might be the OSS code base is many times larger and most people are drawn to the latest hotness like so many moths. The reason OSS security gets broken is because the devs are busy building automatic Jenga-robots or self driving boondoggles with GPUs. And why shouldn't they? They're not paid staff, that's the whole point.

Re: Irrelevancies aside, SW non-freedom is the iss

[Aighearach]

The argument was never, "If you build it, they will all turn their eyes towards it checking for bugs."

The idea is that if you know you have a bug, because you use the software, and there is only the programmer at some company that is even allowed to look at the code, then they might not fix it, and they might not even have time or interest to try. Hard problems are often going to receive (if you're lucky) a work-around unless you're paying extra to get it fixed. The same situation with free software, the worse the problem is the more people are looking at it, and the easier it is to solve.

There was never anything about fixing bugs before you know about them because free software is magic. That part you made up yourself.

OSS security isn't broken, it is powering most of the infrastructure. But that isn't in the news, because "trains ran on time, 700 days uptime" isn't news.

Re: Irrelevancies aside, SW non-freedom is the is

[cyber-vandal]

Like Heartbleed?

Re:

[Aighearach]

Exactly. Fixed almost instantly. As soon as the bug was in the news, there was also an open solution in the news. When the eyes turned to the bug, it became shallow. And not before that, of course.

Re: Irrelevancies aside, SW non-freedom is the is

[cyber-vandal]

In existence for how many years though?

Re:

[Aighearach]

That's not on topic, you're just burbling words and hoping somehow it might add up to a point.

Do try to comprehend words before replying to them.

Re:

[cyber-vandal]

https://en.wikipedia.org/wiki/... [wikipedia.org]. Now off you fuck, there's a good boy.

Re:

[Aighearach]

Sorry little boy, you were born yesterday and you didn't play nice so you were stupid and ignored too. When you've been here as long as I have, you don't care what idiot new users blather about.

Re: Irrelevancies aside, SW non-freedom is the is

[espenskaufel]

So this is why Linux desktop is awesome and without bugs?

Re: Irrelevancies aside, SW non-freedom is the is

[Zero__Kelvin]

Debunked isn't the way you spell pro ed. You can't identify bugs that were only identified and fixed BECAUSE it was open source and claim what you are claiming.

Re:

[epine]

"Many eyes make all bugs shallow" was pretty much debunked when OpenSSH was breached a few years ago.

It any maxim this pithy, language is being used in a special register where the "modulo" term is user supplied—if the user has the wits and can ass himself to do so.

There are so many things you got wrong here, do I need to strip gold stars off your chest on both sides of this equation?

First off, the OpenSSH bug was shallow, right from the get go, to any competent pair of eyes.

Second, cryptographic soft

Re:

[kilodelta]

I rarely if ever use Edge.

Re:

[hcs_$reboot]

You used it at least once, to download FF or Chrome.

Re:

[quonset]

You don't have to. IE could have been used as I did for my dad when he got his W10 system and I installed FF.

Not everything is about Edge. Where there's a will, there's a way.

Re:

[TheEden]

In Edge leaking whatever user types is probably a feature, not bug.

Re:

[ArmoredDragon]

So far there are approximately 6 people in the world who use Edge.

Re:

[s_p_oneil]

That's not true at all. Granted, the only reason it's not true is that there are more than 6 people in the world with Windows 10 who can't figure out how to either:

1) Click the start button and type the letters "i" and then "e".

2) Type "Chrome" or "Firefox" into Edge's search bar.

Re:

[s_p_oneil]

Correction: You really only need to type the letter "i" to have Internet Explorer show up at the top of the list (unless you've installed a bunch of other stuff that starts with an "i").

Re: Internet Explorer?

[nazsco]

they moved to chrome, which happily send that information to Google only. much secure.

even localhost urls are sent to make sure the site is "safe" . much secure.

Re:

[hackel]

Yeah, what does "latest version" even mean? I thought they had finally stopped development on that garbage fire. Is that not the case? Or did they introduce this bug in a security fix? (Sadly wouldn't surprise me!)

And worse, if you type a local hostname...

[Anonymous Coward]

like we have like "jenkins" for our CI server, but instead of doing a DNS lookup for that that returns an IP address since we have a properly setup search domain, it redirects us to a Bing search for jenkins. Microsoft really still doesn't grok DNS.

Re:

[lucm]

All browsers are like that. Chrome is particularly annoying since they insist on hiding the protocol, it won't even figure out it's an ip address and will search instead.

Re:

[lucm]

You can turn that off obviously.

How?

Re: And worse, if you type a local hostname...

[cyber-vandal]

I love you

Re: And worse, if you type a local hostname...

[Anonymous Coward]

Chrome can be taught. If you type something to the top bar which can be a url as well, chrome will suggest the exact typing twice, but with different icons in front. A magnifying icon will do a search. A paper icon will try to open the url directly. If you choose the url, the next time you do that, the default action will be the url again. If you want a search instead, you can select the magnifying icon from suggestions (this generally works: if you want to search for a url, instead of opening it).

Re:

[Aighearach]

Try it with a dot on the end.

And remember, a domain name and a URI are different things.

Re:All browsers

[omnichad]

And so does whatever web site you were already on when you pressed enter. That's the difference. For some reason, they update the JavaScript location object before actually navigating.

Re:

[hcs_$reboot]

Incompetence?

More of the same

[lucm]

Yet another feature of a major browser that doesn't work on Firefox. I hope this will get resolved when they release that unified search/address bar.

Re:

[Aighearach]

I dunno, I already have an integrated search/address bar. You can configure it that way in about:config.

If you really want to be bug-compatible with IE on this one, surely there is an extension out by now for it? We can have whatever features we want, they don't have to all be good ones.

That's fine

[hcs_$reboot]

All the three IE users have been warned.

Re:

[jordanjay29]

Doesn't Lynx still work with Vista?

Headline reads like something from The Onion

[AdaStarks]

"New spoon has throws soup back into your face"
"Cat sues owner for pooping in its litter box"
"Internet Explorer leaks your address bar"

Re:

[account_deleted]

Comment removed based on user account deletion

Let's address the elephant in the room

[blind biker]

More than two days of static Slashdot. Can't we have a headline about that shit?

Are we no longer a community?

[QuietLagoon]

Mod up this parent. I mean, really, WTF. This is /. not some social media site. We care about the site. And now, all of a sudden, we are being kept in the dark....

Re:Are we no longer a community?

[bobstreo]

As a longtime reader, I also would love to see a story explaining the downtime.

There is an article describing the issues at:

https://www.theregister.co.uk/... [theregister.co.uk]

I don't know why they didn't bother putting out an article describing the issues. I was getting VERY tired of 503s...

Re:

[deviated_prevert]

Fried servers. Sounds like they were being hosted somewhere like in a cheap back room off the local Burger King and were having issues with over heating power supplies. LOL They say they are looking for a new service provider.

SourceForge was acquired alongside its nerd news discussion board Slashdot by finance, business and technology service BizX in 2016. The duo of websites have suffered outages in the past: in 2015, "filesystem corruption" on the Slashdot Media storage platform took out SourceForge for days.

"We recognize there have always been issues with SourceForge and Slashdot, both with our current provider and within the infrastructure," Abbott told us.

"As a result we had already decided to fund a complete rebuild of hardware and infrastructure with a new provider. We have the hardware on hand and are at the final stages of negotiations with the new provider."

Re:Are we no longer a community?

[rastos1]

If you care, head to the firehose and mod up the relevant entry [slashdot.org].

Re:

[Tablizer]

Why always blame Republicans?

Re:

[phantomfive]

Why not always blame Republicans? Trump did it.

Re:

[hcs_$reboot]

You'll get a tweet very soon.

Re:

[ElizabethGreene]

Someone mentioned this in the @slashdot twitter feed. It's actually really good. The SNR looks a lot better there. Thanks to the Anon that mentioned it. +1

Re:

[phantomfive]

Don't worry! They have NOT leaked your social security number and credit card # out through the IE address bar. Definitely not that.

Re:

[rastos1]

Yes, we can. Head to the firehose and vote it up [slashdot.org].

Re:

[CaptainDork]

Yes. We're seasoned nerds who matter.

We are capable of understanding an explanation.

Re:

[Quirkz]

Yes. We're seasoned nerds who matter. We are capable of understanding an explanation.

Hell, I bet half of us could have fixed the problem, too.

Re:

[CaptainDork]

I think you're right.

My motivation for being here is to read the comments by people who are much closer to an issue and much more informed than I am. /. should maybe tap into that.

Oh, this ain't good...

[QuietLagoon]

But riddle me this... shouldn't Microsoft by now have developed some manner of understanding of how to write software, so that these things Don't Happen?

Re:

[Darth Hunterix]

Sure they did. They just try to leak as much user's data as possible, so this count as huge success. Or, since it's M$ we're talking about, suckcess.

Address bars are for addresses.

[nuckfuts]

I can't stand it when browsers try to turn what I type in the address bar into a search. First thing I do is turn that crap off. So whether it's Internet Explorer or not, the only thing "leaking" from my address bar is the address I typed.

Awesome

[easyTree]

This is way better than the bugs IE6 used to have, 'back in the day.'

What???

[MerlTurkin]

People STILL use that POS???