There is a severe security flaw that has been observed in the latest version of Microsoft’s Internet Explorer, this flaw enables harmful websites to sync what the user has typed in the URL address bar, due to which those websites get search terms and addresses.
According to a report published by a security researcher Manual Caballero, this defect allows the website to view the text typed in the address bar as long as the user tap enter key.
This flaw will also read data from the website that user will visit. Similar to all other web browsers, Internet Explorer brings up search results when users type something in the address bar along with the recent search items, that plays an important role in revealing sensitive user information and all of their browsing habits.
As a proof, the security researcher has made up a video which is posted at the end of this post. In the video, the researcher has taken simple steps and we can expect that the users can also be able to perform it on their own.
In a tweet, the researcher said, “The attacker can get the URL and let the browser load it. The demo is interrupting it on purpose.”
Moreover, he said:
“Microsoft is trying to get rid of IE without saying it. Imagine what black hats can do right now: they can stay in your browser even if you navigate to a different site, which gives them plenty of time to do ugly stuff like mining digital currencies while abusing of users CPUs. Also, IE has its popUp blocker is completely broken and nobody seems to care.”
When reached out to Microsoft, the company said:
“Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible.”