HSTS Bypass Vulnerability in IE Preview

This is a write-up of an old vulnerability in Internet Explorer preview that I discovered in 2015. It is a partial HSTS bypass vulnerability. It was my first vulnerability found in Microsoft software. There was no bug bounty, and no CVE was assigned to this bug, but I was credited by Microsoft in June 2015 for my report. I discovered it totally by accident. In this article, I will share the detail of this vulnerability.

Background

As I mentioned in my article Find Edge’s HSTS Preload List (Part I), the HTTP Strict Transport Security (HSTS) allows websites to instruct that web browsers should only use HTTPS to connect to their servers. HSTS has two requirements for browsers:

  1. If a link uses “http:” protocol and the domain part of the URL is a known HSTS domain, then browsers must rewrite the protocol to “https:” before sending the request. (e.g. If a user types http://github.com/ in the address bar, browsers should use https://github.com/)
  2. If the certificate presented by the server is untrusted, browsers must not allow users to ignore the certificate error.

The reason behind the second requirement is that some certificate errors are not due to real attacks, but due to server misconfiguration, skewed client clocks, captive portals, etc. But because of that, some users have a habit of clicking through the warning messages. By removing this insecure option, HSTS helps users always remain secure.

Vulnerability

The vulnerability existed in IE 11 on Windows 10 Technical Preview Build 10041. It didn’t affect released versions of Windows, because HSTS was only supported in Windows 10 Preview, not in Windows 7, 8 or 8.1, at that time.

The vulnerability bypasses the second requirement of HSTS. It works by redirecting any HTTP or HTTPS requests to a HSTS domain, and then IE allows users to ignore the certificate warnings. For example, a user visits http://example.com/. A MITM attacker redirects http://example.com to https://github.com/, and then intercept the TLS request with a self-signed certificate. Because the cert is self-signed, IE shows an error page to users, but surprisingly there’s an option for users to continue to the website. Worse more, when you hover over the “Continue to this website” link, the URL shown on the bottom left is “http://example.com", not “https://github.com". If you indeed ignore the warning, the cookies for github.com are sent to the MITM.

Visit https://www.facebook.com directly:

Error page when MITM redirects to https://www.facebook.com:

After user clicks through the warning:

Since this vulnerability only affected IE in beta, Microsoft said they would not assign a CVE to this issue, but they did credit me in the bulletin. I am really grateful for the acknowledgement and the fast fix.

Timeline

  1. March 19, 2015: Vulnerability sent to MSRC
  2. March 19, 2015: MSRC opened case 21780
  3. June 9, 2015: Patch released to users