A Google developer has discovered a high-severity loophole that affected the Microsoft Edge web browser and, less so, Mozilla Firefox, and that could provide an attacker with access to the victim’s private information.
“[T]his is a huge bug. It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” wrote Jake Archibald, who found the security hole by accident and went on to call it “Wavethrough”.
If exploited, the vulnerability, tracked under CVE-2018-8235, could enable a remote attacker to retrieve content from other tabs within the victim’s browser. This includes sites that require users to authenticate themselves.
Of the four major browsers, the security hole mainly affected Microsoft Edge. Having been alerted to the bug by Archibald, Microsoft rolled out a patch for it in its June 2018 Patch Tuesday update. As for Firefox, only beta versions were affected, and Mozilla rushed to squash the bug before it could bite the users of the stable Firefox version. Meanwhile, Safari and Chrome were not affected.
The bug’s guts
The flaw has to do with how browsers treat cross-origin requests to multimedia content. As noted by Bleeping Computer, the hole can be exploited when a malicious website uses service workers to load content inside an <audio> tag from another domain while simultaneously using the "range" parameter to fetch only a section of that file.
Browsers don’t always respond in the same way when loading files inside audio tags from other locations with the help of service workers, and a malicious website can fetch such content from another site unchecked.
Having lured a victim to visit such a site, the attacker could then effectively circumvent a browser safeguard known as CORS (Cross-Origin Resource Sharing) that should normally stop sites from gaining access to the contents of other sites.
Microsoft lists the hole as “a security feature bypass vulnerability that exists when Microsoft Edge improperly handles requests of different origins”.
“An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted,” according to Microsoft.