Internet Explorer 7 Popup Address Bar Spoofing Weakness
Secunia Advisory: SA22542 Release Date: 2006-10-25
Critical: Less critical
Where: From remote
Solution Status: Unpatched
Software: Microsoft Internet Explorer 7.x
A weakness has been discovered in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.
The problem is that it's possible to display a popup with a somewhat spoofed address bar where a number of special characters have been appended to the URL. This makes it possible to only display a part of the address bar, which may trick users into performing certain unintended actions.
Secunia has constructed a demonstration, which is available at:
The weakness is confirmed in Internet Explorer 7 on a fully patched Windows XP SP2 system.
Solution: Do not follow links from untrusted sources.
Provided and/or discovered by: Discovered by an anonymous person.