IE7 - Phishing vs. Privacy

Published 19 December 06 03:01 PM | LabsMan 

Today I was testing WebInspect on my newly installed version of Vista with IE7 and found something startling.  When running a browser through a proxy you can see soap requests being made to Microsoft as you hit each page.  Here is what the requests look like.

POST /urs.asmx?MSPRU-Client-Key=l7m7EvM2K/IVNQCBF7AVPg%3d%3d&MSPRU-Patented-Lock=XdXWSI8WgDg%3d HTTP/1.1

Accept: text/*

SOAPAction: "http://Microsoft.STS.STSWeb/Lookup"

Content-Type: text/xml; charset=utf-8

User-Agent: VCSoapClient

Host: urs.microsoft.com

Content-Length: 648

Cache-Control: no-cache

 

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"><soap:Body><Lookup xmlns="http://Microsoft.STS.STSWeb/"><r soapenc:arrayType="xsd:string[1]"><string>http://zero.webappsecurity.com/pindex.asp</string></r><ID>{B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F}</ID><v soapenc:arrayType="xsd:string[5]"><string>7.0.6004.6</string><string>7.00.5824.16386</string><string>7.0.6000.16386</string><string>6.0.6000.0.0</string><string>en-us</string></v></Lookup></soap:Body></soap:Envelope>

 

You can see in the soap envelope the full URL of the site I am browsing.  Upon further investigation, this is how IE7 implements their real time Phishing notification.  In the settings of IE you will find the option to disable or enable this under “Phishing Filter”.  This raises a some serious questions, here are just a few that I can think of:

1)      I don’t recall being notified that this was occurring.  Now I am the first to admit I don’t read every installation page, disclaimer or EULA but I would think this would be a BIG screen explaining the setting and the consequences of the option.

2)      Everyone knows you can trust MS with personal data, but this is a bit much.  The ability to track every single web page that is visited is needless to say powerful information.

3)      Why in the world does Microsoft feel it necessary to check INTERNAL ADDRESSES for phishing web sites?  Yes, this actually happens.  I browsed to a 172. address and a request with the full internal IP was sent to Microsoft.

4)      Post data and query data is not submitted, but what are the implications of websites that keep session state in the URL or user sensitive information (seen in URL rewriting).  This data being transferred to a site other than the one I am visiting, even though via SSL, still does not give one a warm fuzzy feeling.

5)      What are the other parameters in the request used for?  Client-Key?  It this key really tied to me?  If so, is it really necessary for MS to know this to inform me of a phishing site?

Feel free to comment on other implications that you can think of. 

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

# Jeremy said on December 19, 2006 3:28 PM:
Is this any different from what Google does with the PageRank indicator on the Google toolbar? I'm not sure how else Microsoft or anyone else would implement a phishing filter. I personally disabled the phishing filter for precisely this reason.
# Jen Albornoz Mulligan said on December 19, 2006 3:29 PM:
According to Microsoft, this feature was turned off by default? So you did turn it on right? (see Phishing Filter at http://www.microsoft.com/windows/ie/ie7/privacy/ieprivacy_7.mspx). They claim that search terms are removed but they also say, "If you are concerned that an address string might contain personal or confidential information, you should not report the site." Got any examples of such a site?
# larryl said on December 19, 2006 3:42 PM:
I believe that when you upgrade to IE7, you're given a notice about turning the phishing option on or off. I faintly remember it explaining something about sending web site address to Microsoft to check against a phishing database, but I’m sure it didn’t got into details about what information it actually sends…and how much. Since IE7 comes preinstalled with Vista, I don't think users are prompted with the same information.
# VB6 Junkie said on December 19, 2006 3:44 PM:
During the install or the first time you run IE7, it asks you if you want to turn Automatic Phishing Filter On. It shows On as the recommended option.
# Dario said on December 21, 2006 1:30 PM:
Men... This is why i'm proud of using Ubuntu!
# cus said on December 21, 2006 2:38 PM:
this is FUD
# mythsmith said on December 21, 2006 3:42 PM:
Is there a way to check if those keys are bind to your copy of windows?
# Bugbuster said on December 22, 2006 1:57 PM:
Exactly, how did you saw it? How can I reply this test? I'm running IE7 on WinXP, and I see only encrypted data when IE checks for the site trustworthiness..
# Deke said on January 7, 2007 9:44 AM:
Let me tell you... we soon will not know the meaning of privacy. This world is heading towards humans being herded like cattle. These big companies want to know what you are doing and what you are seeing so they can sell you more and you will buy more. Big brother is here! They impliment these changes... little steps at a time. You are right to be concerned. Watch the movie called "America Freedom to Fascism". It was produced Aaron Russo who made other movies like ("The Rose," "Trading Places"). It will be one of the most important films you will ever see in your life. http://video.google.com/videoplay?docid=5355374476580235299&q=aaron+russo+american God bless you. Darius
# ush.it - a beautiful place » IE7 ping back home, MS and your browsing history said on June 7, 2007 4:21 PM:

PingBack from http://www.ush.it/2006/12/20/ie7-ping-back-home-ms-and-your-browsing-history/

# xxx said on September 10, 2007 8:52 AM:
BTW, nice that this info is send also when Phishing is turned off!

Leave a Comment

(required) 
(optional)
(required) 

About LabsMan

I like big hair music and long walks on the beach.