A serious universal cross-site scripting (XSS) vulnerability existed in the Microsoft Edge browser.
Microsoft Edge Universal XSS Vulnerability
Two security researchers, Vansh Devgan and Shivam Kumar Singh, discovered a severe Universal XSS vulnerability in the Microsoft Edge. Specifically, this bug typically affected the automatic translation feature of the browser.
Sharing the details in a post, the researchers revealed that they found this vulnerability when they visited a website in another language via the Edge browser and attempted to translate the page. The immediate appearance of popups led them to the discovery of the XSS.
Briefly, the bug existed in the startPageTranslation function. The vulnerable code of the auto-translation feature improperly processed the “>” in HTML tags. As stated in the post,
Microsoft Edge (Internal Translator Which Comes Pre-Installed) has an vulnerable code to which actually takes any html tags having an “>img tag without sanitising the input or converting the payload into text while translating so actually that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as an javascript as there were no proper validation check which does sanitisation or convert complete DOM into text and then process it for translation.
To test this, the researchers created a POC.html file with the payload “><img src=x onerror=alert(1)>”. Then, they could demonstrate hacking any websites if the target user would open the site via the Edge browser with auto-translation enabled.
The following video demonstrates hacking the Facebook account of a target user by simply sending a friend request from a profile created in another language.
Microsoft Deployed The Fix
Upon finding the vulnerability, the researchers reached out to Microsoft on June 3, 2021. After back-and-forth communication, Microsoft eventually developed a fix that they rolled out on June 24, 2021.
The tech giant has confirmed fixing this bug (CVE-2021–34506) with another vulnerability (CVE-2021-34475) in its advisory. Specifically, it rolled out the patches with the release of Microsoft Edge browser version 91.0.864.59.
Besides addressing the bug, Microsoft also awarded the researchers a $20,000 bounty for reporting this flaw.
Given the serious nature of this flaw, all Edge users must ensure updating the browsers on their devices with the latest version to avoid potential attacks.