Microsoft is working on a fix for a recently discovered vulnerability in Internet Explorer 11. The bug, which affects even the most up-to-date and patched version of IE, allows an attacker to bypass browser security, inject malicious code to launch highly credible phishing attacks and ultimately steal login credentials or other private information.

The flaw was recently disclosed by security researcher David Leo. Described as a universal cross-site scripting (XSS) vulnerability, it allows an attacker to bypass the Same-Origin Policy (SOP). This security mechanism is found in all browsers and is used to prevent code on one website from manipulating the content or browser cookies of another site.

Leo demonstrated the attack using Daily Mail as the target and was able to successfully replace the site’s content with “Hacked by Deusen.” Aiding in the attack’s success is the fact that it doesn’t change the URL in the address bar so it still appears as though you’re visiting the intended destination.

This could easily be put to use by a nefarious hacker to steal private financial information from a bank’s website, for example.

The vulnerability has successfully been demonstrated on Internet Explorer 11 running Windows 8.1 and Windows 7. Attempts to replicate it using older versions, like Internet Explorer 8 on Windows 7, have failed.

Microsoft said it isn’t aware of the vulnerability being actively exploited in the wild and are working on a patch. In the meantime, the company urges users to avoid opening links from untrusted sources and visiting untrusted sites.