Data theft in Internet Explorer via two-year old vulnerability

A long known vulnerability in Internet Explorer 8 allows attackers to bypass the same origin policy by loading cascading style sheets (CSS) which enables them to gain access to victims' personal data. Google Information Security Engineer Chris Evans has demonstrated the vulnerability by means of an exploit aimed at Twitter, but which can also be applied to other websites. If a user visiting the specially crafted webpage is logged into the micro-blogging service, the page extracts the user's authentication token from a Twitter page and is able to post unlimited messages in the user's account.

The vulnerability was first disclosed around two years ago and was reported to affect all major browsers. The report, in Japanese, appears, however, to have gone unnoticed. It was a further year before other browser vendors reacted and one by one fixed the problem – after Evans drew attention to the hazard on his blog. With Mozilla finally reacting to the issue in July with Firefox 3.6.7, Internet Explorer is now the only browser the latest version of which (as well as older versions) remains vulnerable. Since the attack does not require JavaScript, there is no way at present for Internet Explorer users to protect themselves – apart from using a different, non-vulnerable browser.

In theory, the vulnerability can be used to access any web page which allows users to enter their own text. In the Twitter example, a tweet containing the text {}body{font-family:" is all that's required – IE's error-tolerant parser allows an attacker importing the Twitter feed into his own web page as a CSS file to read parts of the source text in the "font-family" CSS property. In conjunction with three students at Carnegie Mellon University, Evans has published a detailed paper on 'cross origin CSS attacks'.

(crve)