Endpoint Protection Platforms (EPP) , Endpoint Security , Open XDR

Microsoft Edge Vulnerabilities Let Hackers Steal Data

Automatic Translation Bypasses Security Restrictions
Microsoft Edge Vulnerabilities Let Hackers Steal Data

Microsoft recently released updates for the Edge browser, including a fix for a bypass vulnerability that could allow a remote attacker to bypass implemented security restrictions.

See Also: On Thin ICES: Augmenting Microsoft 365 with Integrated Cloud and Email Security

The vulnerability, tracked as CVE-2021-34506, stems from universal cross-site scripting, or UXSS, which triggers when a webpage is automatically translated using Microsoft Edge browser's built-in feature via Microsoft translator. (see: Group Behind SolarWinds Attack Targeted Microsoft Customers).

In a UXSS attack, vulnerabilities in the browser itself or in the browser plug-ins are exploited. Researchers say that an attacker can trick victims into visiting a specially crafted website and bypass implemented security restrictions.

"Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled," Cyber Xplore researchers said in a blog post.

Microsoft credited Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh for discovering and reporting CVE-2021-34506.

Attack Analysis

Singh, a researcher for Cyber Xplore, has found several vulnerabilities in Microsoft products, Devgan, his colleague at the company, says. Since there was a bounty associated with finding bugs in Microsoft Edge, they decided to further explore the Microsoft Edge browser, Devgan tells Information Security Media Group.

He and Singh started their analysis on June 3, Devgan says. They used Microsoft Edge Browser, which translates websites, and found that it was filled with XSS payloads, according to Devgan. "We got so many pop-ups on Microsoft Edge, it looked strange; we went to Chrome again and did the same but this time there was no pop-up," said Devgan.

Devgan said that the translation feature had a piece of vulnerable code that failed to sanitize input, allowing an attacker to insert malicious JavaScript code anywhere on the webpage, which is executed when a victim tries to translate the page.

"So we both started digging into the platform and found that the Microsoft Edge (Internal Translator Which Comes Pre-Installed) has vulnerable code which actually takes any html tags having an ">img tag without sanitizing the input or converting the payload into text while translating, so actually that internal translator was taking ">img src=x onerror=alert(1)> payload and executing it as javascript as there were no proper validation checks which do sanitization or convert complete DOM into text and then process it for translation," said Devgan.

To demonstrate the vulnerability, the researchers created a Facebook profile with a name in a different language and XSS payload and then sent a friend - an Edge user - a request to act as the victim. As soon as the victim checked the profile, they got hacked via an XSS pop-up due to the auto translation, Devgan said.

Devgan said that the three researchers also tried in Google and in YouTube, and both attempts were successful. "We have written a review on Google for HackENews with a different language + XSS payload. Any person browsing that review link got hacked (XSS pop-up because of auto translation) and for YouTube, we entered a comment with XSS payload in a different language. Anyone viewing that video in Edge got hacked (XSS pop-up because of auto translation)," said Devgan.

The researchers first reported the incident to Microsoft on June 3 and received an email from Microsoft on June 7, requesting more details, which they sent. Subsequently, the researchers were rewarded with a $20,000 bounty, and on June 24, a patch update was pushed out by Microsoft and a CVE was assigned.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.