Microsoft Edge Bug Could’ve Let Hackers Steal Your Secrets for Any Site

Cyber Security

Microsoft last week rolled out updates for the Edge browser with fixes for two security issues, one of which concerns a security bypass vulnerability that could be exploited to inject and execute arbitrary code in the context of any website.

Tracked as CVE-2021-34506 (CVSS score: 5.4), the weakness stems from a universal cross-site scripting (UXSS) issue that’s triggered when automatically translating web pages using the browser’s built-in feature via Microsoft Translator.

Stack Overflow Teams

Credited for discovering and reporting CVE-2021-34506 are Ignacio Laurence as well as Vansh Devgan and Shivam Kumar Singh with CyberXplore Private Limited.

“Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code,” CyberXplore researchers said in a write-up shared with The Hacker News.

“When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.”

Specifically, the researchers found that the translation feature had a piece of vulnerable code that failed to sanitize input, thus allowing an attacker to potentially insert malicious JavaScript code anywhere in the webpage that’s then subsequently executed when the user clicks the prompt on the address bar to translate the page.

Prevent Ransomware Attacks

As a proof-of-concept (PoC) exploit, the researchers demonstrated it was possible to trigger the attack simply by adding a comment to a YouTube video, which is written in a language other than English, along with an XSS payload.

In a similar vein, a friend request from a Facebook profile containing other language content and the XSS payload was found to execute the code as soon as the recipient of the request checked out the user’s profile.

Following responsible disclosure on June 3, Microsoft fixed the issue on June 24, in addition to awarding the researchers $20,000 as part of its bug bounty program.

The latest update (version 91.0.864.59) to the Chromium-based browser can be downloaded by visiting Settings and more > About Microsoft Edge (edge://settings/help).

Articles You May Like

All You Need to Know About Emotet in 2022
Google Accuses Spanish Spyware Vendor of Exploiting Chrome, Firefox, and Windows Zero-Days
Twitter stops policing Covid misinformation under CEO Elon Musk and reportedly restores 62,000 suspended accounts
Elon Musk Twitter Takeover: How Journalists Could Be Impacted if Twitter Collapses
WhatsApp Numbers of 500 Million Users Up for Sale, Twitter Data of 5.4 Million Users Leaked Online: Reports