Aviv Raff, an independent researcher from Israeli, found a vulnerability in Microsoft Corp.’s Internet Explorer that could let someone “easily conduct phishing attacks”. Phishing is a technique in which criminals try to trick people into disclosing sensitive information such as online banking names and passwords and is often conducted through e-mails.
Raff publicly disclosed the vulnerability in a post on his blog on Wednesday.
When a person going to a web page cancels that navigation, its URL (universal resource locator) or address is passed on to a so-called browser resource page on the computer called “navcancl.htm.”
That resource creates a link so the user can reload or refresh the page of the site they were trying to visit. It is possible for an attacker to “inject” a script into the generated “refresh the page” link, which would be executed when the user clicks on it, Raff wrote.
“To perform a phishing attack, an attacker can create a specially crafted navcancl.htm local resource link with a script that will display a fake content of a trusted site,” Raff wrote.