Exploit tested successfully on Google, YouTube, and Facebook domains
A universal cross-site scripting (uXSS) vulnerability in Microsoft Edge’s translation function left users open to attack, regardless of which website they visited, security researchers have claimed.
If Microsoft Translator was set to auto-translate or activated by clicking on the relevant prompt, the browser attempted to re-render the page, but failed to render the image tag, triggering an error event and calling the malicious function.
The Chromium-based browser’s security defenses were bypassed with the payload “>img src=x onerror=alert(1)> because the vulnerable StartPageTranslation function failed to sanitize the “>img image tag or perform a validation check that would covert “complete DOM into text and then process it for translation”, reads a blog post published by Vansh Devgan and Shivam Kumar Singh of Indian infosec firm CyberXplore.
Pwned in translation
Web applications on Microsoft Store were also vulnerable as Microsoft ships the applications with the translator add-on, something also demonstrated in a proof-of-concept video targeting Instagram:
Moreover, claims Devgan, if a security researcher were using training labs featuring XSS payloads, these would be triggered when Edge translated the page.
“The bounty seems less [than it should be] and the CVSS seems wrong to me,” says Devgan, who believes a ‘critical’ designation would be more appropriate. “It can actually trigger XSS on any page on [the] entire internet.”
Hussein Nasser, the software engineer and hugely popular YouTuber, echoed these sentiments in his video take on the exploit, describing the payout as “low for Microsoft”.
In response to queries from The Daily Swig – and from Devgan himself, he claimed – Microsoft declined to comment further on the perceived mismatch between the payout and CVSS score.
‘Anything is possible’
Devgan and Kumar Singh were inspired to stress-test the function after their efforts to find bugs under Mail.Ru’s Russian-language bug bounty program were frustrated by the removal of several Firefox extensions for translation owing to security vulnerabilities.
The researchers notified Microsoft of the vulnerability on June 3 and the tech giant issued a patch on June 24.
DON’T FORGET TO READ Multiple vulnerabilities in WordPress plugin pose website remote code execution risk