Browser Auth Pishing Attack with embedded images

Won’t fix Issue #1329392

Details

Created
Jan 12, 2015
Privacy
This issue is public.
Reports
Reported by 0 people

Sign in to watch or report this issue.

Steps to reproduce

URL:

Repro Steps:

http://bfldev.com/auth-pishing

Vulnerability Test Case

For example i have here an image that can be used on any site - It will ask you for authentication when the image try to load.
The image is generated by a server side PHP script and can therefore grab and save your credentials to a database or whatever.
Don’t panic, this image is for demonstration only and does not log any credentials, i’m a white hat.

<img src="http://bfldev.com/auth-pishing.jpg" alt=""/>

A external demonstration page where you see it in action
http://jsfiddle.net/xcfj3ek8/1/

Expected Results:

Never ask for auth windows in embedded images or other embedded stuff.

Actual Results:

Dev Channel specific:

No

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Tony S.”

      Changed Assigned To from “Tony S.” to “John H.”

      Changed Assigned To from “John H.” to “IE F.”

      Changed Status to “Won’t fix”

    You need to sign in to your Microsoft account to add a comment.

    Sign in