Network Security, Patch/Configuration Management, Vulnerability Management

Researcher pwns Charles Darwin to demonstrate Microsoft Edge exploit

Even a brilliant scientist like Charles Darwin couldn't protect his Twitter account from being hijacked after a researcher stole his cookies and passwords by exploiting a reported universal cross-site scripting vulnerability in the Microsoft Edge browser.

Okay, so it wasn't really Darwin – just a fake account set up for a video demonstration – but the hack technique is very real. Via his Broken Browser blog, researcher Manuel Caballero explained that he is able to take over users' web services by bypassing Edge's same origin policy (SOP) web application protections that normally prevent code on one page from accessing data on a second page unless they share the same origin.

"Charles Darwin is an example; this vulnerability allows the attacker to tweet (and more) on the name of the logged user," Cabellero posted.

The basic premise involves about:blank pages, which are found in most browsers and simply display an empty page. Cabellero found that Microsoft Edge did not properly enforce cross-domain policies with about:blank, creating the possibility that an attacker could access information from one domain and inject it into another, and then elevate privileges. An adversary could have accomplished this by tricking users into clicking a link that takes them to his site.

In January 2017, Microsoft issued a bulletin stating that it patched the flaw by "assigning a unique origin to top-level windows that navigate to Data URLs." But Cabellero apparently has since found another way to subvert the SOP protections using a combination of data URIs (Uniform Resource Identifiers), meta refresh tags, and about:blank pages that are not assigned a specific domain.

SC Media contacted Microsoft for comment and received the following response from a spokesperson: “Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.