Microsoft Edge Vulnerabilities Let Hackers Steal DataAutomatic Translation Bypasses Security Restrictions
Microsoft recently released updates for the Edge browser, including a fix for a bypass vulnerability that could allow a remote attacker to bypass implemented security restrictions.
The vulnerability, tracked as CVE-2021-34506, stems from universal cross-site scripting, or UXSS, which triggers when a webpage is automatically translated using Microsoft Edge browser's built-in feature via Microsoft translator. (see: Group Behind SolarWinds Attack Targeted Microsoft Customers).
In a UXSS attack, vulnerabilities in the browser itself or in the browser plug-ins are exploited. Researchers say that an attacker can trick victims into visiting a specially crafted website and bypass implemented security restrictions.
"Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled," Cyber Xplore researchers said in a blog post.
Microsoft credited Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh for discovering and reporting CVE-2021-34506.
Singh, a researcher for Cyber Xplore, has found several vulnerabilities in Microsoft products, Devgan, his colleague at the company, says. Since there was a bounty associated with finding bugs in Microsoft Edge, they decided to further explore the Microsoft Edge browser, Devgan tells Information Security Media Group.
He and Singh started their analysis on June 3, Devgan says. They used Microsoft Edge Browser, which translates websites, and found that it was filled with XSS payloads, according to Devgan. "We got so many pop-ups on Microsoft Edge, it looked strange; we went to Chrome again and did the same but this time there was no pop-up," said Devgan.
To demonstrate the vulnerability, the researchers created a Facebook profile with a name in a different language and XSS payload and then sent a friend - an Edge user - a request to act as the victim. As soon as the victim checked the profile, they got hacked via an XSS pop-up due to the auto translation, Devgan said.
Devgan said that the three researchers also tried in Google and in YouTube, and both attempts were successful. "We have written a review on Google for HackENews with a different language + XSS payload. Any person browsing that review link got hacked (XSS pop-up because of auto translation) and for YouTube, we entered a comment with XSS payload in a different language. Anyone viewing that video in Edge got hacked (XSS pop-up because of auto translation)," said Devgan.
The researchers first reported the incident to Microsoft on June 3 and received an email from Microsoft on June 7, requesting more details, which they sent. Subsequently, the researchers were rewarded with a $20,000 bounty, and on June 24, a patch update was pushed out by Microsoft and a CVE was assigned.