Microsoft's Internet Explorer 11 web browser can leak user-entered data from the address bar, posing a privacy threat, a security researcher has found.
Manuel Caballero from Argentina, who specialises in web browser security issues, found it was possible to trick Internet Explorer 11 into overtly and silently capturing data from the browser's address bar.
"When a script is executed inside an object-html tag, the location object will get confused and return the main location instead of its own. To be precise, it will return the text written in the address bar so whatever the user types there will be accessible by the attacker," Caballero wrote.
He has published a proof of concept web page to demonstrate the flaw, along with a YouTube video to demostrate it.
Microsoft has indicated the issue could be fixed in next month's Patch Wednesday round of updates for supported versions of its Windows operating system.
Caballero had more criticism in store for Internet Explorer, saying it has several more exploitable flaws currently.
Among these are a broken pop-up blocker, and the "zombie script" bug that allows attackers to continue running code in tabs even after users have left the page.
The latter flaw could allow attackers to run crypto-currency mining scripts for instance, Caballero said.
The security researcher's suggestion is that Microsoft should get rid of Internet Explorer completely, and warn customers to use the company's newer Edge browser instead.
.png&h=140&w=231&c=1&s=0)
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
