The Browser Den

Secuna has discovered a weakness in one of IE7’s anti-phishing features that makes it possible for a site to spoof the URL in the address bar. In order to reduce the potential for phishing attacks IE7 displays the address bar in all popups (smaller than the regular address bar so it’s less obtrusive), however this vulnerability means that it’s possible to display a spoofed URL meaning that what’s contained in the address bar cannot currently be trusted. Unfortuantely, this could have the potential to give the user a false sense of security.

At the moment there is no comment on this issue on the IE Blog but I expect that they will react to this issue in a timely manner.

If you’re running IE7 you can run the test to see if it’s vulnerable. Firefox and Opera are not vulnerable to this, although both IE and Firefox have suffered similar flaws in the past. In Firefox it’s still possible to hide the address bar in popup windows but it shows the correct domain in the titlebar.

This entry was posted on Thursday, October 26th, 2006 at 4:42 pm and is filed under IE, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site. Digg this story ?