Serious Bug in Internet Explorer Bypasses Same-Origin Policy

Microsoft is working to patch a vulnerability in Internet Explorer that allows attackers to bypass the same origin policy
February 4, 2015 Updated: February 4, 2015

Microsoft is working to patch a vulnerability in Internet Explorer that allows attackers to bypass the same origin policy, inject malicious code into websites, and steal cookies, session and login details.

A group, known as Deusen, has published a proof-of-concept demonstrating the exploit violating the same origin policy on the Daily Mail’s website, the demo injects the words “Hacked by Deusen” on the website, which means other HTML and Javascript code can be injected as well.

Microsoft has said it is “not aware of this vulnerability being actively exploited and are working on a security update.” It also encouraged customers “to avoid opening links from untrusted sources and visiting untrusted sites, and to log out when leaving sites to help protect their information.”

The exploit appears to use iframes to tamper with the same origin policy in IE. Once the attacker’s code bypasses the policy and is injected, the code has access to sensitive information normally restricted to the target website, such as session details, cookies, and login, among other things.

Republished with permission from Neowin. Read full article