A Google Chrome developer recently discovered a high-severity vulnerability in Microsoft's Edge browser that allowed an attacker to read sensitive data in other tabs, including websites that required users to authenticate themselves.
According to Jake Archibald, the developer who discovered the vulnerability, an attacker could exploit the flaw to retrieve sensitive content from other tabs on the Edge browser, thereby gaining the ability to read emails and Facebook feed and to access online banking websites.
The said vulnerability was found to affect only Microsoft Edge and Firefox browsers but both Microsoft and Mozilla have since released patches to fix the vulnerability and to ensure the sanctity of sensitive user information.
In a detailed blog post, Archibald noted that an attacker can exploit the vulnerability by leveraging a hole in the mechanism through which browsers treat cross-origin requests to multimedia content.
Normally, when a browser makes a request for multimedia content from another domain, the content is fetched completely via the "range" parameter. However, when a browser requests for audio tags, a malicious website can fetch some of the content via the "range" parameter while loading the rest of the content inside the "audio" tag.
By loading content inside the audio tag, Archibald said that a malicious website can avoid being analysed by CORS (Cross-Origin Resource Sharing), a defence mechanism in browsers that prevents websites from accessing content in other websites. This way, an attacker can silently retrieve information from other browser tabs without alerting the user.
"I've covered two browser security issues here, but these bugs started when browsers implemented range requests for media elements, which wasn't covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard. The result is the browsers all behave slightly differently, and some ended up with security issues," said Archibald.
Commenting on the presence of such a high-severity vulnerability in Microsoft Edge, Joseph Carson, chief security scientist at THycotic, told SC Magazine UK that cyber-criminals are targeting Internet Browsers as they are easy to access to the end-users data and systems exposing the victim to identity theft, sensitive data disclosure, compromised systems and financial fraud.
"The worst types of security bugs in browsers are those that allow the cyber-criminal to access the victims' other applications (i.e. tabs in this case) or the operating system that could then allow the attacker to take remote access or steal sensitive data and this bug allows both so it is an extremely high risk. This bug with Microsoft Edge browser should be a top priority for organisations to reduce the risk and patch ASAP," he added.
Weds 21st Nov, 3pm
A practical risk-based approach to implementing GDPR and building a security-aware culture in your organisation.
Brought to you in partnership with Metacompliance
Mon 19th Nov
Brought to you in partnership with Mimecast