Researcher earns $40k

Microsoft bug bounty awards $40,000 to security researcher

A security researcher has earned $40,000 for discovering what are said to be the first bugs in the new Chromium-based version of Microsoft’s Edge browser.

Abdulrhman Alqabandi discovered three distinct bugs in the new browser that collectively earns him $40,000 under a reward program set up by Microsoft back in August.

Only Microsoft-owned code is eligible under this program, leaving a small attack surface open to exploitation that Alqabandi was able to hit.

A proof-of-concept (PoC) developed by Alqabandi involved exploiting a cross site-scripting (XSS) vulnerability in Microsoft Edge to achieve a privilege escalation attack.

Although unconfirmed, Alqabandi suspects a separate bug he discovered might have allowed for the creation of a remote code execution (RCE) exploit, rather than the simple browser crash he was able to produce.

One of the XSS bugs involved a new feature in a component of the New Tab Page (NTP) of the revamped Edge browser and related to a failure to sanitize the title of visited web pages. The shortcoming meant that potentially hostile JavaScript was executed.

The bug meant it was possible to inject JavaScript into a higher privileged context from normal web content because the NTP is set up as a higher privileged page within Microsoft Edge (Chromium).

The last of the three bugs found by Alqabandi involved cookie manipulation, abusing a legacy MSN site, and taking over the NTP page, as Alqabandi explains in a detailed technical blog post. The post features PoC code and videos.

In response to queries from The Daily Swig, Alqabandi commented on the seriousness of the various vulnerabilities he found in Edge: “Worst case the bugs (first two) can lead to remote code execution by having a user simply visit a web page.

“Meaning one could use it to install any program they like on the user’s computer.”

Microsoft is yet to respond to a request for comment.

Chromium is an open source browser developed by Google that will power future versions of Edge, replacing the previous EdgeHTML engine under the bonnet. It started off and remains as the engine behind Google Chrome.

Alqabandi reported his findings to Microsoft in September before publicly disclosing his research over the festive season, after Microsoft had dealt with his report.

YOU MIGHT ALSO LIKE Microsoft pushes out Chromium-based Edge with new bug bounty program