Hidden whitelist allowed sites to run Flash content without permission
UPDATED A hidden whitelist in Microsoft Edge is allowing Facebook to execute Flash Player content without authorization.
Adobe’s soon-to-be-deprecated media plugin is notorious for being insecure, riddled with bugs, and leaving users vulnerable to cyber-attacks.
As a response, browsers severed their ties with the once-popular tech and enabled Click2Play, meaning websites are not allowed to execute Flash without users’ permission.
However, a hidden whitelist discovered by a Google Project Zero researcher has revealed that a number of domains have been able to bypass Click2Play in Microsoft’s Edge browser.
The file – c:\Windows\system32\edgehtmlpluginpolicy.bin – contains a default whitelist of domains that can bypass Click2Play and load Flash content without permission.
This issue was discovered by Ivan Fratric, who disclosed the flaw on November 26, before going public after a 90-day disclosure deadline.
The file contained 58 domains in Windows 10, version 1803. The Flash whitelist previously included popular sites such as viz.com and music.microsoft.com, but also lesser-known domains, for example, a Spanish hairdresser’s site.
Microsoft addressed Fratric's disclosure and removed 56 of the whitelisted sites, leaving just two – both which belong to Facebook.
Facebook.com and apps.facebook.com are still present in the whitelist at the time of publication, The Daily Swig has verified.
The secret privileges mean that Facebook can execute Flash in Edge without expressed consent from the user.
Enabling Flash is a particular risk if the whitelisted domain has a cross-site scripting flaw.
Flash cookies can also be used to track and monitor a user’s browsing – a huge issue for the security-conscious.
These cookies are notoriously difficult to remove. They can remain installed on a drive even after a cleanup operation.
Fratric (@ifsecure) tweeted: “I wonder how the list was formed. And if MSRC [Microsoft Security Response Center] knew about it.”
He added: “Also, why was this list obfuscated? And why no one owned Edge in pwn2own with a Flash bug yet :-) And why, even after the fix, does Facebook still need to be whitelisted? So many questions :-)”
John Hazen, Microsoft Edge Product Development, told The Daily Swig: “We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan.”
This article has been updated to include comment from Microsoft.