An independent security researcher has uncovered by accident quite the unusual, high-severity browser vulnerability in Microsoft Edge, identified as CVE-2018-8235. Shortly put, the vulnerability would allow a malicious website to recapture content from other sites simply by playing audio files incorrectly which would produce unintended consequences.
According to Jake Archibald, the researcher who unearthed the flaw, the bug is huge and “it means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing”. The researcher dubbed the bug Wavethrough.
CVE-2018-8235 Official MITRE Description
A security feature bypass vulnerability exists when Microsoft Edge improperly handles requests of different origins, aka “Microsoft Edge Security Feature Bypass Vulnerability.”
CVE-2018-8235: the Wavethrough Bug Explained
When does the bug get “irritated”? When a malicious website employs the so-called service workers to load multimedia content within an audio tag from a remote site, in the meantime using the “range” parameter to load a specific part of the same file.
The researcher also added that:
I pretended to be a hacker and wrote down all the attacks I could think of, and Anne van Kesteren pointed out that some of them were possible without a service worker, as you can do similar things with redirects.
In addition, due to discrepancies in the way browsers handle files loaded with the help of service workers within audio tags, it is possible to load any content inside the malicious site. Usually this wouldn’t happen as CORS (Cross-Origin Resource Sharing) gets in the picture to avert sites from loading resources from other sites.
However, under this bizarre circumstances, the malicious site can issue “no-cors” requests which would not be detected as unusual by the receiving site, be it Facebook or Gmail or some news outlet. As a result, the malicious site can load otherwise “not-to-be-loaded” content concealed with authentication procedures.
Firefox Partially Affected by CVE-2018-8235
The other browser that appears to be affected by this bug is Firefox. Chrome and Safari appear to be untouched. More specifically, only Firefox Nightly in-development versions were affected but fortunately the bug has since been fixed and it didn’t make it to the official Firefox Stable release.
Microsoft has also addressed the bug in its June 2018 Patch Tuesday.
As to Chrome, the researcher believes that Google patched the vulnerability without intention when implementing other patches in 2015 in relation to another bug.