A developer from Google discovered a brand new type of bug in the Edge browser that allows malicious activity without any notification of the user. The working method of the bug is weird, but the capabilities of the bug is not a joke.
According to Jake Archibald, the Google dev who discovered the bug, said that it’s such a huge bug. He also shared a proof-of-concept demo where he was able to read emails, Facebook feed etc. without even notifying the victim!
Archibald named the bug Wavethrough. The name is kind of pun, but it holds the significance and silliness of the bug. Nevertheless, let’s take a look how the bug works.
Whenever a malicious site uses service works for loading multimedia content within an <audio> tag from a remote site. Using “range” parameter, it’s also possible to load just a specific part of the file.
According to Archibald, due to the inconsistencies how browsers handle the loaded file via service works inside the audio tag, it’s possible to inject any content through that malicious site. Generally, with the help of CORS – Cross-Origin Resource Sharing security feature, such action was not possible. It prevents sites loading resources from other sites. However, due to the weird configuration, the site is able to grant “no-cors” request that sites like Gmail, Facebook, BBC etc. will honor without any trouble.
Thus, the malicious site is able to load malicious content behind the authentication procedures that’s not supposed to be loaded from random domains.
Thankfully, Wavethrough doesn’t impact most of the web browsers. In fact, most of the browsers fixed this issue in their previous versions. The bug Wavethrough (CVE-2018-8235) only affected Edge and Firefox browsers.
In the case of Firefox, only in-dev Firefox Nightly versions were affected and it was fixed before it made to the Stable channel. Despite facing some issue, Microsoft patched the bug in the latest June 2018 Patch Tuesday fixes.
Here’s the demo Jake Archibald shared demonstrating the power of the bug.
How to stay secured
However, this is the concern that a good percentage of the Windows users hardly use Windows Update, let alone installing Edge browser updates.
If you’re a Windows user, you should obviously make sure that you install all the latest Windows updates available for your system. You should check out this awesome tool that allows downloading and updating your Windows system easily.