Microsoft Edge Translator contained exploitable uXSS flaw “on any web page”

0

Adam Bannister June 30, 2021 at 11:28 UTC

Updated: June 30, 2021 at 18:20 UTC

Exploit successfully tested on Google, YouTube and Facebook domains

A universal cross-site scripting (uXSS) vulnerability in Microsoft Edge’s translation function has left users exposed to attacks regardless of which website they visited, security researchers have said.

Reaping a bug bounty of $ 20,000 for their exploit, the researchers inserted malicious JavaScript code into web pages with text written in a language that was not native to a target user’s Edge settings.

Yes Microsoft translator was configured to translate automatically or enabled by clicking on the corresponding prompt, the browser attempted to redisplay the page, but failed to display the image tag, triggering an error event and calling the function malicious.

Chromium-based browser security defenses were bypassed with the payload “because the vulnerable function failed to disinfect the” image tag or perform a validation check that would have converted “the entire DOM to text , then process it for translation, “reads a blog post published by Vansh Devgan and Shivam Kumar Singh from the Indian company infosec CyberXplore.

Pwned in translation

As long as a website reflects an appropriate XSS payload, the attack would work whether or not the website cleans up the text properly, the researchers suggested.

The duo validated this hypothesis with a YouTube video commentary in a foreign language, Google review (proof of concept video), and, subject to acceptance of a friend request, Facebook profile (video).

Keep up to date with the latest browser security news

Web apps on the Microsoft Store were also vulnerable because Microsoft ships the apps with the translation add-on, which was also demonstrated in a demo video targeting Instagram:

Additionally, says Devgan, if a security researcher used training labs with XSS payloads, those would be triggered when Edge translated the page.

Low-blow

Now fixed, the vulnerability (CVE-2021-34506) has been classified as medium severity (CVSS 5.4) by Microsoft, despite the huge award given as part of its Edge Bug Bounty Program.

“The premium seems less [than it should be] and CVSS seems wrong to me, ”says Devgan, who thinks a“ critical ”designation would be more appropriate. “It can actually trigger XSS on any page on [the] all the Internet.

Hussein Nasser, the hugely popular software engineer and YouTuber, echoed these sentiments in his video taking on the exploit, describing the payout as “low for Microsoft”.

In response to requests from The daily sip – and from Devgan himself, he said – Microsoft declined to comment further on the perceived mismatch between payment and CVSS score.

‘Everything is possible’

Devgan and Kumar Singh were inspired to test the feature after their efforts to find bugs in Mail.Ru’s Russian bug bounty program were frustrated by removing several Firefox extensions for translation due to security vulnerabilities .

“I thought these extensions had universal access to any site on [the] browser, ”Devgan wrote. “Like you’re on Facebook.com, they can access this page’s entire DOM, cookies, and anything else that is possible with JavaScript.”

Researchers informed Microsoft of the vulnerability on June 3, and the tech giant released a patch on June 24.

DON’T FORGET TO READ Multiple vulnerabilities in the WordPress plugin pose a risk of remote code execution on the website



Source link

Share.

Comments are closed.