A vulnerability in Microsoft’s Edge browser that allows a malicious website to gain access to the contents of other web pages, regardless of if they were opened in the browser at the time, was patched as part of the June 2018 round of Patch Tuesday updates. The vulnerability relates to the behavior of using service workers to load content inside an <audio> or <video> tag from a remote site, while simultaneously using the «range» parameter to jump to a specific section inside that file.
According to Jake Archibald, the Google employee who found the vulnerability, «this is a huge bug. It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing.» Archibald noted that he named the vulnerability Wavethrough because «it involves wave audio, and data is allowed through that shouldn’t be,» while noting the trend of giving vulnerabilities «an extremely tenuous name and logo.» Wavethrough is assigned the ID CVE-2018-8235.
The range parameter is the instrumental part of this vulnerability. Under normal circumstances, this is used to resume downloads, and in media elements when the user navigates to a different point in a file, preventing the need for the entire file to be downloaded before the browser can jump to the desired point. Archibald points out that when using service workers, the range parameter became omitted, because media elements use «no-cors» requests. Archibald provides a concise summary of the concept:
If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that. If you want to send fancy headers, the browser checks with the origin first, before making the request with the fancy headers. This is known as CORS.
In contrast, certain APIs ignore this entirely, with images, CSS, and non-module scripts acting as no-cors requests as a default behavior.
SEE: Information security policy (Tech Pro Research)
As it is, the range parameter is standardized in HTTP, but not in HTML, prompting different browsers to interpret this concept differently. Archibald’s proof of concept relies on mixing known and unknown data, combined with a redirect. Of the four major browsers, Chrome and Safari rejected the request, while Beta and Nightly versions of Firefox only exposed the length of the requested resource, not any of the associated content. No stable version of Firefox is vulnerable, though Archibald notes that the issue was addressed within hours of the bug report.
By contrast, in Edge, the browser allows the resulting audio to be passed through the web audio API, from which it can be transformed back into a string to get the page content, which was demonstrated in this proof-of-concept to scrape data from BBC News.
Archibald notes that communicating with the Edge team at Microsoft was an exercise in frustration, as the Microsoft Security team claimed to not have access to the Edge bug tracker, and wished for the details to be pasted into an email.
The next day, they requested the source code of the attack, which Archibald notes would have otherwise been visible if they used the «View Source» button. Following this, there was no communication from Microsoft for 20 days, prompting Archibald to privately ask two members of the Edge team about it. In result, Archibald received an email indicating Microsoft was «developing a fix,» followed by another 14 days of silence. After complaining on Twitter, Edge security engineer Jun Kokatsu replied and privately discussed how the fix was being developed.
Building a slide deck, pitch, or presentation? Here are the big takeaways:
- A bug allowing a malicious actor to access arbitrary data in Microsoft Edge was discovered, and has been patched in the June 2018 Patch Tuesday update.
- The issue does not affect Chrome or Safari, and was only found to affect prerelease versions of Firefox.