A bug in Microsoft Edge could allow for bypassing the Same Origin Policy (SOP) and for stealing user passwords in plain text, stealing cookies, spoofing content, and other vulnerabilities, independent security researcher Manuel Caballero says.
The bug is created because a window can be forced “to change its location as if the initiator were the window itself,” the security researcher says. Applying this to iframes in the target page and adding data-uri with code can lead to a full SOP bypass.
Basically, a tab hosting a malicious site could change the location of a PayPal tab to a bank website, and the site would receive PayPal as its referrer instead of the malicious domain. This happens because Microsoft Edge confuses the real initiator of the request.
By leveraging the bug and an injection, an attacker could immediately retrieve user passwords, Caballero says (previously, he suggested that passwords could be stolen by logging out the user and expecting Edge to autocomplete). The bug isn’t new, but Microsoft failed to resolve it to date, he suggests.
The issue, he explains, is that both Edge and Internet Explorer confuse the initiator of a request when the location of the tag is changed in the middle of a server-redirect. This technique can be used to spoof the referrer. As an example, whatsmyreferrer can be tricked into considering that the user is coming from microsoft.com.
For that, one would need to open a new window with a server-redirect to microsoft.com, block the thread until Microsoft starts loading, and then set the location to whatsmyreferrer.com. However, the final location needs to be set from the target window itself using a self-reference, the researcher underlines.
In a recent blog post, Caballero details the steps and code required to make the bypass work. He explains that, in addition to spoofing the referrer, one can also set the location of an iframe to a data-uri, and also provides the code necessary to do so. This also results in a full SOP bypass, the notes.
The security researcher also notes that Edge autocompletes any input-password box without ids/names, provided that it is on the proper domain and has the required format. As a result, one can inject code in domains with saved passwords and have Edge immediately autocomplete them.
“Faking the originator leads to a referrer spoof, but thanks to the existence of data-uris and the fact that most sites render iframes, we can end up turning this vulnerability into a full SOP bypass. Then, because the password manager tries to be smart and complete everything without checking too much, we can simply render a universal snipped of code that will work everywhere,” Caballero concludes.