In association with heise online

27 March 2009, 11:36

Phishing with images containing hidden code

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Arbor Networks, which specialises in combating distributed denial of service (DDoS) attacks, reports on it's blog that a named web site is actively exploiting Internet Explorer's MIME-sniffing problem to create phishing attacks. The perpetrators send email containing a supposedly harmless link that seemingly leads to a JPEG image, but the photo contains hidden HTML and JavaScript code that displays a fake eBay login page. While Firefox and Safari return an error message when loading the image, Internet Explorer executes the code.

The variety of ways which a file's type can be determined is at the heart of the problem. Ever since version 4, Internet Explorer has been using MIME sniffing (also known as MIME type detection). IE does not automatically assume that a file taken from the web has the content type stated by the server in the HTTP header. Nor does it trust the file name extension or signature on their own. Instead, Internet Explorer also examines the first 256 bytes of the file in order to determine its type. If it finds HTML code there, it will run it.

This loophole can be exploited, not only for phishing attacks, but also for cross-site scripting attacks on sites that actually prevent the uploading of active content. More details on MIME sniffing, demos and tips for dealing with the problem are provided in the article Risky sniffing - MIME sniffing in Internet Explorer enables cross-site scripting attacks from The H Security. (DAB)


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit