Welcome to nsane.forums

Welcome to nsane.forums, like most online communities you need to register to view parts of our community or to make contributions, but don't worry: this is a free and simple process that requires minimal information. Be a part of nsane.forums by signing in or creating an account.

  • Access special members only forums
  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates

Sign in to follow this  
Followers 0
CrAKeN

Edge Plagued by Various Security Flaws, Not as Secure as Microsoft Boasts

1 post in this topic

EdgePoC.png

 

Microsoft never shied away from claiming that Edge is a much more secure browser than Chrome. Even some third-party tests have sustained its claims.

 

Nonetheless, there are currently three different issues affecting Edge, which Microsoft might not like you knowing about.

 

The first two were discovered by Argentinian security researcher Manuel Caballero, a man that has previously found other issues in Edge in the past [1, 2].

 

Detecting a user's Edge extensions


The first of these relates to user privacy, and more precisely to a flaw that a threat actor can exploit to detect a list of the user's installed Edge extensions.

 

While knowing which Edge extension a user is using can be used to leverage vulnerabilities in that extension and hack a target, a more down-to-Earth scenario would be that advertisers could leverage that information to create more accurate user fingerprints, and use these fingerprints to track users across different sites.

 

The researcher said that the first method used to exploit this flaw was mitigated with the release of Windows 10 Creators Update, but he pointed out that there are two other ways this can still be exploited. A proof-of-concept demo page is available here.

 

Using Edge's new Reading Mode to bypass SOP filters


The second flaw Caballero discovered was in Edge's "Reading View," which is a browser feature that strips away all the ads and images and leaves only a page's title and text, similar's to Firefox's Reader View.

 

The security researcher found a way to leverage to force a page to load into Reading View, even this isn't possible for all URLs.

Because of a bug in Reading View, the attacker can load JavaScript code on this page that redirects the user to a new page, while the original URL remains in the address bar.

 

Caballero weaponized this bug by taking the URL from Google search results, which start with google.com but are actually redirects, to load that link in Reading View, but send users to malicious pages.

 

Second and third Reading View bugs the researcher discovered allowed him to load and execute code in this Reading View page, bypassing SOP (Same Origin Policy). The ability to execute code is dangerous, as the attacker could re-shape the page to look like the real Google login page but secretly record the user's login credentials, all the time while showing google.com in the address bar.

 

This issue is not yet fixed. A demo page is here, and a YouTube video is available below.

 

 

Edge leaks user data via AJAX requests


The third and final major Edge bug was discovered by security researcher Ariel Zelivansky.

 

According to the researcher, the flaw resides in how Microsoft implemented the Fetch API, a new standard for dealing with
AJAX requests, meant to replace the older XMLHttpRequest (XHR).

 

Zelivansky says Edge's JavaScript fetch() requests leak data on the fetched URL. The researcher argues that this issue could be used to harvest data on users or to unmask unknown visitors of a site and link their IP to sites where their persona might be logged in, such as Facebook, Twitter, Slack, etc..

 

A demo is available here. When accessing this demo, the page will list links to the user's Facebook, YouTube, and Docs.com profiles, all without any user interaction.

 

Just like the two attacks discovered by Caballero, this is also currently unpatched. Zelivansky said Microsoft didn't determine this to be a security issue but said they plan to fix it in a non-security update in the coming future.

 

Source

2 people liked / thanked this

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0