Patch Management

Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit

April 25, 2017

Even a brilliant scientist like Charles Darwin couldn't protect his Twitter account from being hijacked after a researcher stole his cookies and passwords by exploiting a reported universal cross-site scripting vulnerability in the Microsoft Edge browser.

Okay, so it wasn't really Darwin – just a fake account set up for a video demonstration – but the hack technique is very real. Via his Broken Browser blog, researcher Manuel Caballero explained that he is able to take over users' web services by bypassing Edge's same origin policy (SOP) web application protections that normally prevent code on one page from accessing data on a second page unless they share the same origin.

"Charles Darwin is an example; this vulnerability allows the attacker to tweet (and more) on the name of the logged user," Cabellero posted.

The basic premise involves about:blank pages, which are found in most browsers and simply display an empty page. Cabellero found that Microsoft Edge did not properly enforce cross-domain policies with about:blank, creating the possibility that an attacker could access information from one domain and inject it into another, and then elevate privileges. An adversary could have accomplished this by tricking users into clicking a link that takes them to his site.

In January 2017, Microsoft issued a bulletin stating that it patched the flaw by "assigning a unique origin to top-level windows that navigate to Data URLs." But Cabellero apparently has since found another way to subvert the SOP protections using a combination of data URIs (Uniform Resource Identifiers), meta refresh tags, and about:blank pages that are not assigned a specific domain.

SC Media contacted Microsoft for comment and received the following response from a spokesperson: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”

prestitial ad