Internet Explorer has a security flaw when copying masked passwords on Windows Phone (Update)

Information security is always one of those topics that is hard to report on, especially with the sheer number of devices available today. The problem lies in what is dangerous, what is bad, or what is no-big-deal. Frankly, opinions vary on the risks and threats involved.

One neat feature in Windows Phone is the ability to select text and hit the Search key. The Windows Phone OS copies the information over to Bing (or Cortana), and it lets you search without having to copy/paste the selection. It is super useful and certainly convenient for speedy searches.

However, there does seem to be one instance where this feature works where it should not: password fields.

The security vulnerability

When using Internet Explorer, text entered into a password field replace the characters with an asterisk. So instead of 'dummypassword' you see a series of *************. The mask is there so that if someone is overlooking your shoulder, they cannot see your password (unless they saw each letter being entered).

This security protection is standard across web browsers, operating systems, and it should be familiar to most of you.

The issue with Windows Phone is that you can select that field, highlighting the masked text and reveal the password using the Search key. Instead of searching for a series of asterisks, the password is revealed in full, pasted right into the search dialog screen.

Is this a big deal?

So the question is, how big a deal is this? Presumably, for someone to take advantage of this security hole, the person would need to be in possession of your phone.

One could argue in this situation, if your phone is already stolen and they have open access to the operating system, well, you have bigger problems. Passwords could be reset with email, which is likely on that very phone. Pictures, documents, notes, etc. are also all up for grabs.

Nevertheless, other operating systems like iOS do not allow this behavior.

Furthermore, if your phone is PIN unlocked, someone would not need to steal your phone to make usage of this trick. Many people let Internet Explorer manage their passwords, allowing the password box to auto-fill when logging into a website. A potential thief could just as easily go to the browser, load up Facebook and when it fills in the field, use this flaw to grab your password.

Fixed in Windows 10?

Although this flaw is exposed on Windows Phone 8.1, it looks like in Windows 10 for phone it cannot. We tried it on our Lumia 830 with the Windows 10 preview installed and were not able to replicate the vulnerability. Furthermore, Internet Explorer is supposed to be supplanted by the Project Spartan browser, giving Microsoft another shot at making sure this – and other – vulnerabilities do not exist.

Microsoft should fix this

We would consider this a low-level threat as it would require someone have access to your phone. Additionally, if IE is not managing your passwords, it is even harder.

Regardless, it is a flaw that should be addressed by Microsoft. We gave an example of how this could be exploited even without someone stealing your phone or waiting for you to enter a password. Password fields should never let you copy information, and although on desktop browsers you can use Javascript tricks to grab the password this is a separate issue than a simple copy/paste risk.

Update: Microsoft's Security Response Center has responded to Peter's report filed earlier. The news is not so comforting.

"Thank you for contacting the Microsoft Security Response Center. Upon investigation we have determined it to not be a security vulnerability as it requires physical access (please see link below). For an in-depth discussion of what constitutes a product vulnerability, please see https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10). "

However, Microsoft's Windows and Windows Phone teams can still patch this on their own, so we will keep an eye out to see if that happens.

The problem was brought to our attention by Peter M., and also posted on Reddit

Daniel Rubino
Editor-in-chief

Daniel Rubino is the Editor-in-chief of Windows Central. He is also the head reviewer, podcast co-host, and analyst. He has been covering Microsoft since 2007, when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, laptops, next-gen computing, and watches. He has been reviewing laptops since 2015 and is particularly fond of 2-in-1 convertibles, ARM processors, new form factors, and thin-and-light PCs. Before all this tech stuff, he worked on a Ph.D. in linguistics, watched people sleep (for medical purposes!), and ran the projectors at movie theaters because it was fun.