[German]A bug in Microsoft’s Edge browser may have enabled attackers to retrieve the content of other websites that are open in browser tabs. Here are a few details.
As I read here, Jake Archibald, a Google developer, has discovered this bug and says it’s a ‘huge bug’ in Microsoft’s browser. The bug allowed a malicious website to access content from other websites by playing audio files in a way that had unintended consequences. The author has set up a demo page where, for example, e-mails from an open HTML mailbox could be read during a visit.
Abusing Service Worker
The error could occur when a malicious website uses service workers to load multimedia content from a website within a < audio > tag, while at the same time using the “range” parameter to load only a specific section of that file.
Jake Archibald writes, that inconsistencies in the handling of files loaded into audio tags by the service workers make it possible to load any content within the malicious website. This is impossible under normal circumstances, as this is prevented by the browser security function CORS (Cross-Origin Resource Sharing). This feature prevents websites from loading resources from other websites.
But in this special configuration, the attacker’s website was able to make so-called “no-cors” requests in the Edge browser. The addressed website (e.g. Facebook, Gmail or BBC) then delivers the desired content. The malicious site would have access to any information (including information that requires registration with an online account).
Not all browsers affected by Wavethrough
The bug, named Wavethrough and assigned CVE-2018-8235 curiously did not affectes all browsers. Only Edge and Firefox were vulnerable, Google Chrome and Apple’s Safari were safe.
The bug only affected Firefox Nightly versions, because Mozilla’s developers fixed the issue in the Nightly version before the bug made it into the major version of Firefox Stable. Archibald suspects, however, that the Chrome developers accidentally patched the wavethrough bug when other patches were implemented that affect the range audio/video selector.
Microsoft Edge is also patched!
Despite some hurdles in reporting the bug to Microsoft, the operating system vendor fixed the wavethrough bug in the patch in June 2018. Microsoft has described the whole thing under CVE-2018-8235. Details can be found at Jake Archibald’s article.
Improving standard and a test page
Bleeping Computer notes here, that Jake Archibald has also worked to improve web standards to make it clearer how browsers should deal with loading resources from other websites via requests from service workers. Archibald has set up a proof-of-concept page to demonstrate the bug. When you call up the page, it shows the content of other pages opened in the browser (or not).
The above YouTube video has been created by Jake Archibald and shows how Wavethrough reads content from the BBC website by playing an audio file on another page.