Skip to main content

Internet Explorer has a security flaw when copying masked passwords on Windows Phone (Update)

Information security is always one of those topics that is hard to report on, especially with the sheer number of devices available today. The problem lies in what is dangerous, what is bad, or what is no-big-deal. Frankly, opinions vary on the risks and threats involved.

One neat feature in Windows Phone is the ability to select text and hit the Search key. The Windows Phone OS copies the information over to Bing (or Cortana), and it lets you search without having to copy/paste the selection. It is super useful and certainly convenient for speedy searches.

However, there does seem to be one instance where this feature works where it should not: password fields.

The security vulnerability

When using Internet Explorer, text entered into a password field replace the characters with an asterisk. So instead of 'dummypassword' you see a series of *************. The mask is there so that if someone is overlooking your shoulder, they cannot see your password (unless they saw each letter being entered).

This security protection is standard across web browsers, operating systems, and it should be familiar to most of you.

The issue with Windows Phone is that you can select that field, highlighting the masked text and reveal the password using the Search key. Instead of searching for a series of asterisks, the password is revealed in full, pasted right into the search dialog screen.

Is this a big deal?

So the question is, how big a deal is this? Presumably, for someone to take advantage of this security hole, the person would need to be in possession of your phone.

One could argue in this situation, if your phone is already stolen and they have open access to the operating system, well, you have bigger problems. Passwords could be reset with email, which is likely on that very phone. Pictures, documents, notes, etc. are also all up for grabs.

Nevertheless, other operating systems like iOS do not allow this behavior.

Furthermore, if your phone is PIN unlocked, someone would not need to steal your phone to make usage of this trick. Many people let Internet Explorer manage their passwords, allowing the password box to auto-fill when logging into a website. A potential thief could just as easily go to the browser, load up Facebook and when it fills in the field, use this flaw to grab your password.

Fixed in Windows 10?

Although this flaw is exposed on Windows Phone 8.1, it looks like in Windows 10 for phone it cannot. We tried it on our Lumia 830 with the Windows 10 preview installed and were not able to replicate the vulnerability. Furthermore, Internet Explorer is supposed to be supplanted by the Project Spartan browser, giving Microsoft another shot at making sure this – and other – vulnerabilities do not exist.

Microsoft should fix this

We would consider this a low-level threat as it would require someone have access to your phone. Additionally, if IE is not managing your passwords, it is even harder.

Regardless, it is a flaw that should be addressed by Microsoft. We gave an example of how this could be exploited even without someone stealing your phone or waiting for you to enter a password. Password fields should never let you copy information, and although on desktop browsers you can use Javascript tricks to grab the password this is a separate issue than a simple copy/paste risk.

Update: Microsoft's Security Response Center has responded to Peter's report filed earlier. The news is not so comforting.

"Thank you for contacting the Microsoft Security Response Center. Upon investigation we have determined it to not be a security vulnerability as it requires physical access (please see link below). For an in-depth discussion of what constitutes a product vulnerability, please see https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc751383(v=technet.10). "

However, Microsoft's Windows and Windows Phone teams can still patch this on their own, so we will keep an eye out to see if that happens.

The problem was brought to our attention by Peter M., and also posted on Reddit

Daniel Rubino
Executive Editor

Daniel Rubino is the Executive Editor of Windows Central, head reviewer, podcast co-host, and analyst. He has been covering Microsoft here since 2007, back when this site was called WMExperts (and later Windows Phone Central). His interests include Windows, Microsoft Surface, laptops, next-gen computing, and arguing with people on the internet.

90 Comments
  • Its not the only nor the first browser to have this feature ....
    Be realistic bros
  • Of course. These flaws are all over the place. Doesn't excuse them though and this is presumably easy to fix.
  • Is this really even an issue? Probably better if it couldn't be done, but the only people who could have access to this would already have access to all information these passwords lead to anyway. That would be an unlocked phone in their hands with a filled in password in front of them. It's a dud to have the potential for the password to be compromised also, but it is only by someone who has already acquired access to a password that is sitting there ready to be entered.
  • I think wrote exactly that in the article, no?
  • You really did write it , Daniel, people have to read before saying anything
  • The article headline is what tends to be seen and repeated far and wide. Why use such a headline when the conclusion of the article points to low risk? The headline can become the conclusion for many by using this tactic.
  • "The headline can become the conclusion for many by using this tactic."
    I will not write titles to cater to those who cannot bother to read it. What happens afterwards is not my concern. Also, my headline is as literal and non-sensational as you can get while remaining 100% accurate.
  • True. Maybe I overreacted. My initial reaction of assuming a major problem after reading the headline, to reading the article and concluding that it was no big deal at all led to my response. Sorry.
  • No problem. I purposefully tried to tone this one down as to not draw over-reaction from readers (hence the rhetorical questions I ask as subheadlines).
  • What I find funny about these kind of articles, is that the small percentage of people that would normally have known about this security flaw suddenly grows to a way larger percentage of people knowing about this flaw, and therefore a way higher potential for people to use it to their advantage. Im all for security flaws being fixed, but I almost feel like the info about the security flaws should be kept internal, dealt with, then once a fix has rolled out, THEN they tell the masses.
  • While I agree for the most part, I can see it both ways. When it's blasted wide open, then it's more likely to be fixed, otherwise they're just like, "ehh, nobody knows about it anyway." Also, now that I know about this flaw, I'm less likely to hand my phone over to a friend so he can look something up (or whatever). Or at least be more careful about it.
  • Even my L520 Cortana never do this, just tried it n she didn't did it.
  • Well sadly, this wasn't the case for my L625. It just searched for my password :) Anyway. As if anyone will get to unlocked my phone, plus, I don't use auto-fill of password :)
  • But thanks to WC everybody now knows about this flaw :P
  • It was already on Reddit and we were getting tipped on it. Burying our heads in the sand won't help. Different story if it already wasn't 'out there' for the world to find ;)
  • It was a joke, although no one I know is on reddit, so Windows central is the only portal to Windows news for them ( congrats :D )
  • Heh. Actually I posted the hint to you and the reddit post is mine too. I just wanted the crowd to know one day or another.... Or one way and another
  • You can accomplish the same thing in any desktop browser.
    Inspect element on a password input,  change type from "password" to "text" and you now have the password. They should change this so that Cortana uses the masked version of the password input but this is not a huge concern.
  • I remember simple copy pasting
  • Seriously i don't know about this vulnerability...
  • Man I honestly never even thought of that! I always knew whatever you had copied and pressed search,it would auto-copy but dude that is awesome! Im doing this on my dads WP lol.
  • What will you do with your dad password ;)
  • Lol idk... Hack his account lol
  • I dint even know about this feature!! :D
  • Me neither!
  • Good thing im not going to let an untrustworthy person physically use my phone, unlocked. This isn't a big deal at all. Just getting blown up by Reddit neckbeards.
  • Neckbeards amassing :)
  • Well...when I highlight any text in the internet explorer and press on the search key...it opens Bing (Cortana) but without pasting the highlighted text..any ideas?
  • Same here
  • I have just understood why, it's because your default search engine in your IE settings is "Google" ... Make it Bing :) I tried it and worked :)
  • Let it be that way, it can be a workaround till the patch arrives.
  • Oh hell yeah! My name will be written in the Windows Phone history that I found a workaround for such a security problem!! "I hope no one found it before me" :D
  • It was already mentioned in the Reddit thread. Issue is, for some of us there is no option to set default search engine any more.
  • Dammit...i thought I could be more famous than Bill Gates :(
  • Don't know why but I found this vulnerability silly (can be serious though)
  • It is silly. Good thing to change in 10, but not something to really worry about otherwise.
  • Internet Explorer on WP8.1 sucks. Also why can't I share a page into the LinkedIn app? Android's app to app communication allows sharing content between app a cakewalk.
  • Because LinkedIn needs to add that functionality to their app. It's literally a couple of lines of code, but I agree, that would be a nice addition.
  • I prefer Blackberry OS10
  • The LinkedIn app sucks and has been broken for ages now.
  • Cannot copy on my L735,8.1----375
  • Make sure your default search engine is Bing in the Internet Explorer settings
  • That's what I'm talking about :D  Great text! And I think they should fix (but I also think that it's not seems easy), if you look at 30% using 8.0 or Windows Phone 7.8 ... When Windows 10 come out, many users will still be at "risk".
  • Not a big deal
  • Just out of curiosity, does it work on your Lumia 930 with Lumia Camera 5? Doesn't that phone have a slightly newer OS compared to the DP? Either way, as long as its fixed in Windows 10, I agree that this is a pretty low level threat.
  • Yes it is I just tried it. UK on EE.
  • IFONDLECHILDREN
    Hey it really does work!
  • Is that really called for? Smh
  • That's gross dude.
  • I agree its a low level threat & Microsoft should fix it, but since you can't replicate it on W10fP sounds like Microsoft fixed it already. Anyway, to be safe people ... Keep the AutoFill for social media & stuff like that ... For sensitive information (i.e. Bank log in) type it your self
  • I can replicate it in Windows 10 on phone, so it's not fixed.
  • Even if it was fixed the overwhelming majority is still on wp8(.1). So it should be fixed there as well.
  • MY Password is ************
  • It's not that big deal! But it is notable! I thought it is a bug!
  • Good find by someone.  It's low risk because you need the phone so I suspect this may never get fixed given that the next update (W10) will fix it anyway.
  • It's not fixed in W10 yet.
  • As always with security it is a compromise between being safe and your convenience. That probably shouldn't work as shown in the article, but any flaw that requires a physical access to your device isn't really a problem per se.
  • It doesn't search!it only opens Cortana!
  • Make sure your Default Search Engine is Bing in the Internet Explorer settings :)
  • Hey what if i forgot my mobile pin...?
  • now that's some nice trick
  • Hotfix for me: Simply don't let IE store any passwords. MS needs to patch this up way before W10.
  • Yeah, that's pretty bad. Just tried it on PayPal and it does indeed do a search using my rather obscure password!
  • Just in case you were really wondering: This flaw is present in all current version of Internet Explorer, with the possible exception of Windows 10. This includes big boy versions of the browser for computers.
  • You cannot copy a password box in IE desktop.
  • Yeah ! It's time to lash people at Microsoft.
    We have had so much faith in them and what they do?
    They suck big time to give us first class mobile OS experience! Come on Daniel lets teach them some lessons!
  • didn't even know you could highlight and search with Windows phone wow
  • The password vaults in browsers aren't exactly secure themselves (as evidenced by the fact that one browser can import usernames and passwords from another).  I know this is mobile rather than desktop, but they are the same engine, so I assume the same technology applies. It seems if someone really wanted passwords they'd attack the storage vault programmatically rather than manually visiting pages to take advantage of this exploit one site at a time. A problem, yes, but not that serious.
  • That's not a bug. Its a feature! /s\
  • i dont see being able to copy from password fields as being the problem. there are a lot of places, softwares, environments that allow you to copy from a password field. the problem here is when you copy, you copy the real password not the ***********.
  • You can't copy the unmasked password from a password field.  This issue arises when you hit search on the password input, it seems to bypass the mask.
  • I literally never knew about the search feature with highlighted text! Pretty neat actually.
  • This flaw works on my nokia 635
  • In order to be consistent with other implementations of IE, and the OS, the masked characters should not be copyable.
  • Whoa! I tried and it really does work this way. I think this is a flaw. They should fix this. Law of thumb is that if this is a password, this should be masked and if by any trick that becomes visible it should be fixed.
  • This feature doesn't even seem to work on my 630
  • Helpful article! I just hope everybody reads it... But I guess that is too much to ask lol. Cue another bout of doom & gloom forum posts! Lol. In all honesty this isn't really a big deal as correctly detailed in the article. I've known about this for sometime and which is why I never use "remember the password" feature in browsers.
  • Is it just me, or is there anyone else that can't select the text and search?
    When I select the text and press search, it just launches Cortana. That's it.
    Any setting that needs to be enbled?
  • I tested some of my other apps and they wouldn't let me copy the password when they were ....... out.  If they had a checkbox to show the password, I could then copy it if I checked the box..  While I think having a strong pin on your phone is much better, I think it probably should be fixed for all those people that don't bother to put pins on their phones or use short ones.
  • Darn it, when is this feature coming to India?
  • The moment your towel falls leaving your nuggets exposed..
  • Good thing is I just rediscovered one of my forgotten password!
  • Meh, no big deal.
  • "Although this flaw is exposed on Windows Phone 8.1, it looks like in Windows 10 for phones it cannot" It is just early build :-P wait for the finished software ;-) But I think this would be fixed out of the box in Windows 10 :-)
  • I thought that is was a feature of WP.....bt to me this is still convenient.....
  • I tried on WP8.1 Denim, no matter on m.facebook.com or some apps, there is no way to copy the password out. Unless, the website is using text-field instead of password-field.
  • Peter's a good windows phone supporter.
  • I see it as an issue. Users don't like passwords and don't use pins. In a company environment this is Admin hell, especially if you can't afford a proper MDM software. I do consider it as a security thread. Another issue, not everyone resets there device before giving it for repairs! MS should fox this.
  • The same problem has the ios 7.1.1.... I bought a sh ipad and the previous owner didn't remove the account.and I just copied the dot password and put it in the notepad...and voila the password was there
  • I don't use IE, I use UC Browser.