UXSS bug on Microsoft Edge allows hackers to steal user information
The vulnerability, codenamed CVE-2021-34506 (CVSS score: 5.4), stems from a UXSS issue. It is activated when automatically translating web pages using pre-installed features through Microsoft Translator.
"Unlike normal XSS attack, UXSS is an attack type where vulnerabilities reside inside the browser or browser extension to create conditions similar to XSS conditions and execute malicious code. " - The Hacker News quotes CyberXplore experts. "When such vulnerabilities are found and exploited, browser behavior is affected and security features may be ignored or disabled."
Specifically, the researchers discovered that the translation feature contained a vulnerable piece of code that failed to clean the input. As a result, an attacker has the ability to insert malicious JavaScript code anywhere in the website. The malicious code is then executed when the user clicks on the address bar prompt to translate the page.
As a method of POC exploit, the attack is easily accomplished simply by adding non-English comments to a YouTube video, along with the XSS payload.
Likewise, the XSS payload and a Facebook friend request whose profile contains other language content were found to execute code immediately after the requester's friend checked the friend's profile. friend.
On June 24, 3 weeks after receiving the report, Microsoft fixed the problem and awarded $20,000 to CyberXplore security experts.
You can download the latest update (version 91.0.864.59) for the Chromium-based browser by going to Settings and more -> About Microsoft Edge (edge://settings/help) .
You should read it
- The 5 most common errors on Galaxy S7 / Galaxy S7 Edge and how to fix them
- Fix the error We couldn't load this extension on Edge browser
- How to Fix 'Can't Reach This Page' Error on Microsoft Edge
- Instructions for restoring Microsoft Edge on Windows 10
- How to color PDF documents on Microsoft Edge
- Fix Microsoft Edge using RAM on Windows 10
- Microsoft Edge is about to add a series of features to support remote work and enhance security
- Microsoft Edge is about to integrate YouTube with the Discover feature, promising many interesting experiences
- Manage and delete browsing data on Microsoft Edge
- How to fix status_invalid_image_hash error on Microsoft Edge
- How to allow Pop-Up window to be displayed in Microsoft Edge
- New Edge is very similar to Chrome, so is there any reason to switch from Chrome to Edge?
Maybe you are interested
Latest Anime Squad Simulator Codes and How to Enter Codes
Latest Pokemon Unite Codes and Code Entry Instructions
Summary of the latest Marvel Rivals codes
Gym Race Simulator Code Get Free Gems, Pets, Items
Code Tien Ton Cung Phuong Dong Hanh to receive free Spirit Beast and KNB
Code Tam Quoc Counterattack VNG receive KNB, FREE Orange General