Contents:
Last week, Microsoft released updates for the Edge browser with fixes for two security issues, one of which involved a security bypass vulnerability that could have been exploited to inject and execute arbitrary code in the context of any website.
The vulnerability, tracked as CVE-2021-34506, stems from a universal cross-site scripting (UXSS) issue that’s activated when web pages are automatically translated with the browser’s built-in feature via Microsoft Translator.
Researchers Ignacio Laurence and CyberXplore Private Limited’s Vansh Devgan and Shivam Kumar Singh were behind the discovery.
In a blog post on CyberXplore, Devgan and Singh explained:
Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.
As reported by TheHackerNews reports, the researchers found that the translation feature contained a piece of vulnerable code that failed to sanitize input. This could have allowed threat actors to insert malicious JavaScript code anywhere in the webpage and subsequently executed when the user clicks the prompt on the address bar to translate the page.
What’s more, the researchers proved it was possible to trigger the attack simply by adding a comment to a YouTube video, which is written in a language other than English, along with an XSS payload.
Similarly, a Facebook friend request from a profile with non-English content and the XSS payload was found to execute the code as soon as the recipient of the request visited the user’s profile.
The latest version of Microsoft Edge (version 91.0.864.59) can be downloaded by accessing Settings and more > About Microsoft Edge (edge://settings/help).