"Wavethrough" Bug in Microsoft Edge Leaks Sensitive Information
23.6.18 securityweek Vulnerebility
A security vulnerability patched by Microsoft earlier this month in its Edge browser could be exploited via malicious or compromised websites to read restricted data.
Tracked as CVE-18-8235, the flaw occurs in how “Microsoft Edge improperly handles requests of different origins,” Microsoft explains in an advisory. The issue results in Edge bypassing Same-Origin Policy (SOP) restrictions and allows for requests that should otherwise be ignored.
As a result, an attacker could exploit the vulnerability to force the user’s browser to send data otherwise restricted. Attacks could be performed via maliciously crafted websites, compromised domains, or through websites that accept or host user-provided content or advertisements.
The vulnerability was discovered by Google developer Jake Archibald, who named it Wavethrough, because the bug occurs when a site uses service workers for the loading of multimedia content, and the < audio > web API, which makes use of “range” requests.
The Range headers can be used by “media elements if the user seeks the media, so it can go straight to that point without downloading everything before it,” Archibald explains.
What the security researcher discovered was that, via a service worker, the Range header was missing, because media elements make “no-cors” requests.
“If you fetch() something from another origin, that origin has to give you permission to view the response. By default the request is made without cookies, and if you want cookies to be involved, the origin has to give extra permission for that,” he notes.
When using special headers, the browser might also check with the origin before making the request, but some APIs ignore the checks, which could result in sensitive data being leaked. No-cors request are sent with cookies and receive opaque responses, and some APIs may access the data in these responses.
Thus, when a media element makes a no-cors request with a Range header, fetch() removes the header, because it isn’t allowed in no-cors requests. However, because Range requests were never standardized in HTML, and because service workers are involved, a website could respond to them arbitrary.
“You can respond to a request however you want, even if it's a no-cors request to another origin. For example, you can have an <img> on your page that points to facebook.com, but your service worker could return data from twitter.com,” the researcher explains.
After setting up a website that would do just that, Archibald discovered that the beta and nightly versions of Firefox allowed the redirect and eventually exposed the duration of the requested audio. The bug was patched before it made it to the stable Firefox release.
Edge too was found vulnerable, but it also allowed the resulting audio to pass through the web audio API, thus allowing for the monitoring of the samples being played. Because the request is made with cookies, the attack revealed content otherwise accessible only if the user is logged in.
“It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing,” the researcher points out.
In addition to getting the bug addressed in Firefox and Edge, Archibald has been working on changing the standards regarding Range requests, so as to eliminate similar security issues. Furthermore, his discovery resulted in CORB being added to fetch().