Exploit tested successfully on Google, YouTube, and Facebook domains

Microsoft Edge Translator contained uXSS flaw exploitable 'on any web page'

A universal cross-site scripting (uXSS) vulnerability in Microsoft Edge’s translation function left users open to attack, regardless of which website they visited, security researchers have claimed.

Netting a $20,000 bug bounty payout for their exploit, the researchers inserted malicious JavaScript into web pages along with text written in a language that was non-native to a target user’s Edge settings.

If Microsoft Translator was set to auto-translate or activated by clicking on the relevant prompt, the browser attempted to re-render the page, but failed to render the image tag, triggering an error event and calling the malicious function.

The Chromium-based browser’s security defenses were bypassed with the payload “>img src=x onerror=alert(1)> because the vulnerable StartPageTranslation function failed to sanitize the “>img image tag or perform a validation check that would covert “complete DOM into text and then process it for translation”, reads a blog post published by Vansh Devgan and Shivam Kumar Singh of Indian infosec firm CyberXplore.

Pwned in translation

So long as a website reflects a suitable XSS payload, the attack would work, regardless of whether the website properly sanitizes the text, the researchers intimated.

The duo validated this hypothesis with a foreign-language YouTube video comment, Google review (proof-of-concept video), and, contingent on acceptance of a friend request, Facebook profile (video).

Catch up on the latest browser security news

Web applications on Microsoft Store were also vulnerable as Microsoft ships the applications with the translator add-on, something also demonstrated in a proof-of-concept video targeting Instagram:

Moreover, claims Devgan, if a security researcher were using training labs featuring XSS payloads, these would be triggered when Edge translated the page.

Low blow

Now patched, the vulnerability (CVE-2021–34506) was classed as medium severity (CVSS 5.4) by Microsoft, despite the huge reward handed out under its Edge bug bounty program.

“The bounty seems less [than it should be] and the CVSS seems wrong to me,” says Devgan, who believes a ‘critical’ designation would be more appropriate. “It can actually trigger XSS on any page on [the] entire internet.”

Hussein Nasser, the software engineer and hugely popular YouTuber, echoed these sentiments in his video take on the exploit, describing the payout as “low for Microsoft”.

In response to queries from The Daily Swig – and from Devgan himself, he claimed – Microsoft declined to comment further on the perceived mismatch between the payout and CVSS score.

‘Anything is possible’

Devgan and Kumar Singh were inspired to stress-test the function after their efforts to find bugs under Mail.Ru’s Russian-language bug bounty program were frustrated by the removal of several Firefox extensions for translation owing to security vulnerabilities.

“I thought these extensions have universal access to any site on [the] browser,” wrote Devgan. “Like if you are on Facebook.com they can access complete DOM of that page, cookies & anything which is possible with JavaScript.”

The researchers notified Microsoft of the vulnerability on June 3 and the tech giant issued a patch on June 24.

DON’T FORGET TO READ Multiple vulnerabilities in WordPress plugin pose website remote code execution risk