Microsoft Edge Vulnerability Could’ve Allowed Hackers to Steal Files
The CVE-2021-34506 Vulnerability Was Patched by the Tech Giant on June 24th As Part of Its Chromium Project Security Updates.
Last week, Microsoft released updates for the Edge browser with fixes for two security issues, one of which involved a security bypass vulnerability that could have been exploited to inject and execute arbitrary code in the context of any website.
The vulnerability, tracked as CVE-2021-34506, stems from a universal cross-site scripting (UXSS) issue that’s activated when web pages are automatically translated with the browser’s built-in feature via Microsoft Translator.
Researchers Ignacio Laurence and CyberXplore Private Limited’s Vansh Devgan and Shivam Kumar Singh were behind the discovery.
In a blog post on CyberXplore, Devgan and Singh explained:
Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.
What’s more, the researchers proved it was possible to trigger the attack simply by adding a comment to a YouTube video, which is written in a language other than English, along with an XSS payload.
Similarly, a Facebook friend request from a profile with non-English content and the XSS payload was found to execute the code as soon as the recipient of the request visited the user’s profile.
The latest version of Microsoft Edge (version 91.0.864.59) can be downloaded by accessing Settings and more > About Microsoft Edge (edge://settings/help).