We all know Microsoft has recently launched a massive ‘bug fix bundle’ where it released patches for around 50 vulnerabilities including the patch for Cortana’s Lock Screen Bypass Vulnerability. However, not many know about ‘all’ of these vulnerabilities for which Microsoft released fixes. It was also strange that it released patches together for 50 different bugs. Seems like the team has been silently working out how to solve various issues reported to them over the past months. Now, an independent security researcher has unveiled one such issue. He calls it the Wavethrough vulnerability.
Microsoft Edge’s Wavethrough Vulnerability Could Allow Data Scraping
It was just another day when Jake Archibald, an independent security researcher, accidentally stumbled upon a browser vulnerability. While he was at work, he found a bug in Firefox and Microsoft Edge browsers, which he named as Wavethrough. It was so named because it exploited WAV audio in browsers. Thus, allowing it access to browser data that should otherwise remain hidden.
According to Jake Archibald, the vulnerability relates to the exploitation of service workers for loading multimedia content inside an audio tag from a remote link, alongside exploiting the ‘range’ parameters to reach a specific section of that file.
The range parameters help the browsers to resume downloads, particularly when a user navigates to some other section in a file. Thus it saves time the user from downloading the entire file. As explained by the researcher,
“Browsers use this for resuming downloads, but it’s also used by media elements if the user seeks the media, so it can go straight to that point without downloading everything before it, or to pick up metadata if it’s one of those annoying media formats that has important metadata at the end of the file.”
Talking about the harms associated with this vulnerability, the researcher says,
“It’s kinda pathetic how excited I got about this, but this is a huge bug. It means you could visit my site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing.”
Fortunately, Microsoft Have Already Fixed It!
The researcher has noticed the Wavethrough vulnerability in Firefox and Microsoft Edge browsers. He then reported the flaw, after which, Firefox quickly fixed it. However, he had some troubles communicating with Microsoft over the issue.
Gladly, before anyone could exploit this vulnerability, Microsoft released a patch for it. Microsoft called it the “Microsoft Edge Security Feature Bypass Vulnerability” having CVE number CVE-2018-8235 which was labelled ‘important’. All Microsoft Edge users should ensure their browsers are updated to the latest version to stay protected from this flaw.