Browsers could leak private user data through range request flaw

Researcher takes issue with Microsoft’s sluggish response to bug impacting Edge

Microsoft has patched a vulnerability in its Edge browser that could enable a malicious website to read a user’s emails and social media feeds.

The bug, discovered by Jake Archibald, developer advocate for Google Chrome, relates to the way Edge handles HTTP range requests for embedded audio and video files – a feature that’s used to load specific parts of multimedia content from external sources.

Archibald found that the range requests were happy to follow redirect instructions. This could allow a malicious site to covertly fetch data from elsewhere in the user’s browser.

“This is a huge bug,” he said in a blog post yesterday. “It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing.”

The vulnerability was also found to affect Firefox, albeit to a lesser extent, with Archibald demonstrating how he was able to determine the length of the cross-origin resource from the audio length.

He explained: “Leaking the length of a resource may not sound like a big deal, but consider an endpoint like gender.json. The content length can give a lot away. Also see Timing Attacks in the Modern Web… which demonstrates the amount of information content length can leak.”

While Archibald commended the Mozilla devs for quickly addressing the bug, he took issue with Microsoft’s sluggish response to his vulnerability report.

“I filed the issue in Edge’s bug tracker on March 1 and notified secure@microsoft.com,” he said. “I got an email from Microsoft security later that day saying that they don’t have access to Edge’s bug tracker, and asked if I could paste the details into an email for them.

“The next day they said they couldn't investigate the issue unless I provided the source code. C’mon folks, the ‘view source’ button is right there. Anyway, I sent them the source. Then there was 20 days of silence.”

Following numerous back-and-forths via email and on social media, Microsoft finally patched the bug on June 12.

“Security issues like this put their users at huge risk, and they need to ensure reporting these things isn’t more effort than it’s worth,” said Archibald.