“Huge” Browser Bug Enabled Malicious Websites to Retrieve Data from Other Sites You Visited
Google's Project Zero continues to get security vulnerabilities fixed in Microsoft products and services. In this month's Patch Tuesday, the Windows maker apparently fixed a nasty bug in its browser that allowed a malicious website to potentially "read your emails and Facebook feed."
Tracked as CVE-2018-8235, Microsoft explains this bug as a security feature bypass vulnerability that exists when Microsoft Edge improperly handles requests of different origins. "The vulnerability allows Microsoft Edge to bypass Same-Origin Policy (SOP) restrictions, and to allow requests that should otherwise be ignored," the company writes.
"An attacker who successfully exploited the vulnerability could force the browser to send data that would otherwise be restricted."
Microsoft explains that in web attacks, an attacker could use a specially crafted website to exploit the vulnerability through Microsoft Edge, convince a user to view the website, and then retrieve data not meant to be seen by the website.
"It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing," Jake Archibald, the Google developer who discovered this bug, wrote in his blog post.
It apparently took Microsoft a lot of time to get this browser bug fixed in Edge
Archibald said that the bug, named Wavethrough, affected both Mozilla Firefox and Microsoft Edge. Mozilla is known for their quick response to bug reports and this case wasn't any different. The company responded to his report within three hours and released the fix with Firefox 59, back in March.
"Firefox handled this brilliantly," Archibald wrote. "I was able to engage with engineers directly on how the issue should be fixed, which was important as I was planning how to standardise the mitigation."
Microsoft, on the other hand, took over three months and some direct internal contacts. Archibald said that after he didn't hear back from the company for nearly 20 days, he thought that the company wasn't taking this seriously enough and used his contacts in Microsoft to "chase it internally." Eventually, this browser security bug did get addressed and the fix was rolled out in this month's updates.
- For technical details, head over here.