UXSS bug on Microsoft Edge allows hackers to steal user information
The vulnerability, codenamed CVE-2021-34506 (CVSS score: 5.4), stems from a UXSS issue. It is activated when automatically translating web pages using pre-installed features through Microsoft Translator.
"Unlike normal XSS attack, UXSS is an attack type where vulnerabilities reside inside the browser or browser extension to create conditions similar to XSS conditions and execute malicious code. " - The Hacker News quotes CyberXplore experts. "When such vulnerabilities are found and exploited, browser behavior is affected and security features may be ignored or disabled."
Specifically, the researchers discovered that the translation feature contained a vulnerable piece of code that failed to clean the input. As a result, an attacker has the ability to insert malicious JavaScript code anywhere in the website. The malicious code is then executed when the user clicks on the address bar prompt to translate the page.
As a method of POC exploit, the attack is easily accomplished simply by adding non-English comments to a YouTube video, along with the XSS payload.
Likewise, the XSS payload and a Facebook friend request whose profile contains other language content were found to execute code immediately after the requester's friend checked the friend's profile. friend.
On June 24, 3 weeks after receiving the report, Microsoft fixed the problem and awarded $20,000 to CyberXplore security experts.
You can download the latest update (version 91.0.864.59) for the Chromium-based browser by going to Settings and more -> About Microsoft Edge (edge://settings/help) .
You should read it
- How to Fix 'Can't Reach This Page' Error on Microsoft Edge
- Instructions for restoring Microsoft Edge on Windows 10
- How to color PDF documents on Microsoft Edge
- Fix Microsoft Edge using RAM on Windows 10
- Microsoft Edge is about to add a series of features to support remote work and enhance security
- Microsoft Edge is about to integrate YouTube with the Discover feature, promising many interesting experiences
- Manage and delete browsing data on Microsoft Edge
- How to fix status_invalid_image_hash error on Microsoft Edge
May be interested
- How to color PDF documents on Microsoft Edgethe current microsoft edge browser has enabled content marking on pdf files, helping you remember important content on documents.
- Microsoft releases a new Windows 10 update, Microsoft Edge will be hidden if you install Edge Chromiumif the user installs edge chromium, the first browser uses google's chromium source, the edge will be automatically uninstalled.
- How to turn off Java to improve securitythe us department of homeland security has just advised internet users to turn off java on their browsers. the reason given is that a lot of vulnerabilities in this tool can cause hackers to steal important information.
- The 'Windows 11 style' Microsoft Edge interface is available, activate and experience immediatelythe issue of optimizing the user interface between the operating system and essential applications is one of the key tasks that microsoft has set forth since the release of windows 11.
- Instructions to adjust information notifications on Microsoft Edge phonesthe microsoft edge web browser on your phone has its own notification settings so you can receive news content according to your needs, unlike adjusting app notifications on android or adjusting notifications on iphone.
- Fix Microsoft Edge using RAM on Windows 10the new microsoft edge uses the same chromium kernel as google chrome. therefore, the browsing speed and performance of edge has been greatly improved.
- Reddit is hacked, many member data is stolenreddit has been attacked by hackers and stolen data including passwords, message content, personal information, etc. of the members between june 14 and june 18.
- Test your understanding of P2 hackthe network administrator's quiz below will help you gain the knowledge to start your career as a hacker. the question set has only 2 answers, you just need to answer right or wrong.
- 7 ways hackers steal your identity on social networkssocial networking is a great way to connect with strangers, but it also makes it easier for others to collect your personal information.
- How to completely eliminate malicious code on iPhone?xcodeghost is a form of exploit that allows hackers to attack spies on mobile devices to steal passwords, and at the same time both personal information and user devices. specifically, according to mashable, an attacker can steal both apple id and icloud password.