The flaw, described as a universal cross-website scripting vulnerability, by David Leo, a researcher at security consultancy company Deusen.
Leo’s post included a link to a proof-of-concept exploit that demonstrates the attack using the dailymail.co.uk website as the target. When opened in Internet Explorer 11 on an up to date installation of Windows 8.1, the exploit page provides the user with a link. When the link is clicked, the dailymail.co.uk website opens in a new window, but after 7 seconds the website’s content is replaced with a page reading Hacked by Deusen.
The rogue page is loaded from an external domain, but the browser’s address bar keeps showing www.dailymail.co.uk, which means the technique can be used to build credible phishing attacks. Instead of dailymail.co.uk, an attacker could use a bank’s website and then inject a rogue form asking the user for private financial information. Since the browser’s address bar would continue to display the bank’s legitimate domain name, there would be little indication to the user that something is amiss.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now