While browsing the Internet a few days ago I came across a disturbing behavior of Internet Explorer.
Internet Explorer has a feature that allows users to load a Favorite located at the root of the Favorites tree by typing its full name into the address bar. Let's say we have a Favorite named 'Watchfire' pointing to www.watchfire.com. Whenever we wish to visit www.watchfire.com, we can simply type 'Watchfire' into the address bar instead of using the mouse to select it from the Favorites center.
While this feature looks pretty innocent, I had a bad feeling about it, probably because the address bar is mainly perceived as a means for entering URLs into the browser.
Therefore, I decided to play a bit with this feature.
I browsed to Watchfire's website and added it as a Favorite, but instead of naming it "Watchfire", I used the URL of a different site (let's call it 'www.some.site'), wondering how IE would react.
From that moment on, every time I attempted to visit www.some.site by typing its URL in the address bar, the browser took me to Watchfire's website instead!
This problematic and unexpected behavior opens an aperture for persistent phishing attacks against victims. If an attacker manages to plant a malicious Favorite into a victim's browser, he/she could force the victim's browser to enter into an attacker-controlled website whenever the victim tries to enter legitimate websites.
Since most of the phishing scams rely on luring victims to click on malignant links, surfers are educated to be suspicious and careful before clicking on links they receive, and instead, they are encouraged to enter sensitive sites by typing in URLs manually.
Although this type of attack is far from invisible, as there are two clear indications that a wary surfer could easily notice (a new Favorite added to the Favorites list and the URL in the address bar changing as a result of the Favorite loading), I still think this attack might work pretty well against regular, unsuspecting surfers, especially as it exploits the trust most of us have in entering the URL address by ourselves.
In addition, some of the attack traces can be covered using standard phishing techniques, such as redirecting the browser to a closely spelled phishing URL in comparison to the original URL.
In a real-world scenario, the main obstacle to overcome in order to mount a malicious Favorites attack, would be finding a way to inject the malicious Favorite into the victim's Favorites center.
In order to overcome this technical limitation, various social engineering techniques can be used.
The "Add A Favorite" pop-up dialog of IE only presents the title of the about-to-be-created Favorite, and not the URL it points to. This lack of information could be utilized by a malicious individual mounting a social-engineering attack.
Social Engineering attacks have many shortcomings. As a result, their success rate is usually far from perfect. An automated and transparent way of planting Favorites on target computers could significantly leverage the impact and danger this bug poses to innocent surfers.
Does anybody know a way to automatically inject attacker-controlled Favorites into a victim's system? :)
Firefox has similar functionality, namely the keywords property does the same thing.
Though on Firefox its more useful since you can have URLs which look like http://www.google.com/search?q=%s so that you can do a search from the address bar.
But as you yourself said, its pretty damn obvious when the address bar changes, you might be able to fool some users, true, but it really shouldn't be an issue - malware has better ways to attack users.
Posted by: kuza55 | October 16, 2007 at 01:40 AM
Neat.
I wanted to mention that you might be overestimating a couple of things:
1) That your average J. Q. Surfer can keep track of the favorite links, and most wont notice a new entry. Try as I might, mine usually end up in a mess.
2) That the same average person looks at the address bar past the initial typing or can understand what goes on there. Or cares, for that matter.
I would agree that getting there's the hard part. However, if you could inject an "Add to Favorite" link (XSS of some sort?), most people would be completely oblivious to the fact they were compromised.
Posted by: Shahar Sperling | October 16, 2007 at 11:11 AM