IE7 - Phishing vs. Privacy

[Troy]

Hi all,

#issue 1:

If you are using ie7, then think twice according to SPI Labs IE7 sends personal information on urls that you request to Microsoft.

Today I was testing WebInspect on my newly installed version of Vista with IE7 and found something startling. When running a browser through a proxy you can see soap requests being made to Microsoft as you hit each page. Here is what the requests look like.

POST /urs.asmx?MSPRU-Client-Key=l7m7EvM2K/IVNQCBF7AVPg%3d%3d&MSPRU-Patented-Lock=XdXWSI8WgDg%3d HTTP/1.1

Accept: text/*

SOAPAction: "http://Microsoft.STS.STSWeb/Lookup"

Content-Type: text/xml; charset=utf-8

User-Agent: VCSoapClient

Host: urs.microsoft.com

Content-Length: 648

Cache-Control: no-cache
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><Lookup xmlns="http://Microsoft.STS.STSWeb/"><r soapenc:arrayType="xsd:string[1]"><string>http://zero.webappsecurity.com/pindex.asp</string></r><ID>{B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F}</ID><v soapenc:arrayType="xsd:string[5]"><string>7.0.6004.6</string><string>7.00.5824.16386</string><string>7.0.6000.16386</string><string>6.0.6000.0.0</string><string>en-us</string></v></Lookup></soap:Body></soap:Envelope>
You can see in the soap envelope the full URL of the site I am browsing. Upon further investigation, this is how IE7 implements their real time Phishing notification. In the settings of IE you will find the option to disable or enable this under “Phishing Filter”. This raises a some serious questions, here are just a few that I can think of:

1) I don’t recall being notified that this was occurring. Now I am the first to admit I don’t read every installation page, disclaimer or EULA but I would think this would be a BIG screen explaining the setting and the consequences of the option.

2) Everyone knows you can trust MS with personal data, but this is a bit much. The ability to track every single web page that is visited is needless to say powerful information.

3) Why in the world does Microsoft feel it necessary to check INTERNAL ADDRESSES for phishing web sites? Yes, this actually happens. I browsed to a 172. address and a request with the full internal IP was sent to Microsoft.

4) Post data and query data is not submitted, but what are the implications of websites that keep session state in the URL or user sensitive information (seen in URL rewriting). This data being transferred to a site other than the one I am visiting, even though via SSL, still does not give one a warm fuzzy feeling.

5) What are the other parameters in the request used for? Client-Key? It this key really tied to me? If so, is it really necessary for MS to know this to inform me of a phishing site?

#issue 2:

According to secdev:

Microsoft may monitor every search from within Internet Explorerâ„¢ location bar.

It is practically and theoretically possible for Microsoftâ„¢ to monitor and data mine search terms even when those are searched over Google or other Search engines if these search terms were entered in the url location bar. This is possible because the MSN server which redirects to google or to any other search engine knows about the search terms.

Protection against search url modification can be circumvented.

Since microsoft owns this virtual DNS server for Providers ID's, it should be impossible for Browser Search Hijackers to modify the URL since they do not have access to the MSN search database of providers and can't modify the URL by simply manipulating the registry. However Spyware, Adware or their affiliates can practically overcome this limitation by adding an singly entry to the HOST file of the targeted computer. You can find the Hosts file in \systemroot \System32\Drivers\Etc.
# 102.54.94.97 rhino.acme.com

# 38.25.63.1o x.acme.com

127.0.0.1 localhost

66.150.196.177 auto.search.msn.com

(A malicious example oh DNS in host)

A malicious example of a DNS entry in the HOST file.
In this case, Internet Explorer will instead of transmitting the data to auto.search.msn.com, transmit the data to the IP 66.150.196.177, the data is send to an ASP page in the form of "/response.asp?MT=test&srch=3&prov=gogl". We can now receive the data, either by writing an ASP script on our server and give it the name of response.asp or use Apache mod_rewrite to rewrite the URL to use a perl script. Either way we now have the data which we can forward to a pay-for-performance search engine using an Affiliate ID or choose to do otherwise.