Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

“Wavethrough” Bug in Microsoft Edge Leaks Sensitive Information

A security vulnerability

A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.

Tracked as CVE-2018-8235, the flaw occurs in how “Microsoft Edge improperly handles requests of different origins,” Microsoft explains in an advisory. The issue results in Edge bypassing Same-Origin Policy (SOP) restrictions and allows for requests that should otherwise be ignored.

As a result, an attacker could exploit the vulnerability to force the user’s browser to send data otherwise restricted. Attacks could be performed via maliciously crafted websites, compromised domains, or through websites that accept or host user-provided content or advertisements.

The vulnerability was discovered by Google developer Jake Archibald, who named it Wavethrough, because the bug occurs when a site uses service workers for the loading of multimedia content, and the < audio > web API, which makes use of “range” requests.

The Range headers can be used by “media elements if the user seeks the media, so it can go straight to that point without downloading everything before it,” Archibald explains.

What the security researcher discovered was that, via a service worker, the Range header was missing, because media elements make “no-cors” requests.

“If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that,” he notes.

When using special headers, the browser might also check with the origin before making the request, but some APIs ignore the checks, which could result in sensitive data being leaked. No-cors request are sent with cookies and receive opaque responses, and some APIs may access the data in these responses.

Advertisement. Scroll to continue reading.

Thus, when a media element makes a no-cors request with a Range header, fetch() removes the header, because it isn’t allowed in no-cors requests. However, because Range requests were never standardized in HTML, and because service workers are involved, a website could respond to them arbitrary.

“You can respond to a request however you want, even if it’s a no-cors request to another origin. For example, you can have an <img> on your page that points to facebook.com, but your service worker could return data from twitter.com,” the researcher explains.

After setting up a website that would do just that, Archibald discovered that the beta and nightly versions of Firefox allowed the redirect and eventually exposed the duration of the requested audio. The bug was patched before it made it to the stable Firefox release.

Edge too was found vulnerable, but it also allowed the resulting audio to pass through the web audio API, thus allowing for the monitoring of the samples being played. Because the request is made with cookies, the attack revealed content otherwise accessible only if the user is logged in.

“It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” the researcher points out.

In addition to getting the bug addressed in Firefox and Edge, Archibald has been working on changing the standard
s regarding Range requests, so as to eliminate similar security issues. Furthermore, his discovery resulted in CORB being added to
fetch().

Related: Microsoft Patches 11 Critical RCE Flaws in Windows, Browsers

Related: Microsoft Patches Code Execution Vulnerability in wimgapi Library

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.