Internet Explorer bug leaks whatever you type in the address bar

(credit: Manuel Caballero)

There’s a bug in the latest version of Internet Explorer that leaks the addresses, search terms, or any other text typed into the address bar.

The bug allows any currently visited website to view any text entered into the address bar as soon as the user hits enter. The technique can expose sensitive information a user didn’t intend to be viewed by remote websites, including the Web address the user is about to visit. The hack can also expose search queries, since IE allows them to be typed into the address bar and then retrieved from Bing or other search services.

The flaw was disclosed Tuesday by security researcher Manuel Caballero. This proof-of-concept site shows the exploit works as described on the latest version of IE.