Possible Security Hole in Internet Explorer 4.0
Martin Minow
minow at apple.com
Thu Oct 2 12:44:25 PDT 1997
>From a message in MacOSRumors <http://rumors.netexpress.net/> (I have
not independently verified this)
--- Begin quote ---
Internet Explorer 4.0 ships with major security hole....
With the Microsoft Internet Explorer 4.0 for Windows release only hours
old, users have already discovered a major security hole that smacks
painfully of Big Brother:
Most folks will remember the Netscape java bug that allowed you to snoop on
what people where visiting. Well IE4.0 goes a bit further than this -
Logging of your actions, even when you would otherwise be shielded by
proxies is BUILT-IN.
The channel definition format (.CDF)
http://www.microsoft.com/standards/cdf-f.htm
includes a LOGTARGET feature that allows a web site provider to make your
browser deliver logs of your usage via an http post or put. Even hits from
cache are logged. This is all not so good and getting worse. Not only is
the information posted material, you wouldn't want to give to a provider,
(considering) "http post/put" is normally spoofable anyway.
Unanswered question for next time - or for folks with more time than me to
follow up Can you put other sites in your channel definition and get logs
of when they read your competitor's site (with this system)?
Definitely not confidence-inspiring. It appears the Mac version is affected
by this same problem, as well...and neither platform has any means of
disabling this "feature" at present.
---
[Internet Explorer 4.0 has not yet been released for the Macintosh platform.]
Martin Minow minow at apple.com
More information about the cypherpunks-legacy
mailing list