The Microsoft Edge Browser Edges Into the Bug Territory

microsoft edge browser malicious bug detected

A security researcher working at Google recently discovered a high-severity vulnerability on the Microsoft Edge web browser. The flaw could allow hackers to access the victim’s sensitive information without their knowledge.

Although the security loophole has been patched, it points to the need of always keeping your programs up-to-date and avoid visiting malicious websites.

How the bug was discovered

Jake Archibald, a developer who works at Google, exposed this bug accidently and named it “Wavethrough.” It is so-named because the browser security bug involves playing a wave audio, which an attacker could compromise to steal sensitive users’ data.

Archibald discovered the bug a few months ago and has since published the details on his blog here.  After finding out about the loophole, Google informed Microsoft to fix the issue within 90 days.

And, Google made the issue public the after the lapsing of the waiting period and reluctance of Microsoft to address the problem.

The bug’s bad effects

The Wavethrough bug deals with how web browsers handle cross-origin requests to multimedia data.

It can be exploited when a malicious website employs service workers to load multimedia data inside an <audio> tag from a different location. At the same time, the site will utilize the “range” parameter to fetch just a particular portion of that file.

Because of the irregularities in how browsers handle files loaded from other locations with the help of service workers inside audio tags, a hacker can easily deploy any content on the malicious website and harvest users’ sensitive information.

Usually, browsers have an in-built safeguard called CORS (Cross-Origin Resource Sharing), which does not allow websites to load content from other websites.

However, in this serious security flaw, after luring a victim to the website, the attacker could circumvent this security measure and compel the browser to transmit data that could otherwise be unobtainable.

This implies that a user could visit a compromised website using a poorly programmed browser, allowing the attacker to access their information such as emails and Facebook updates—all without knowing.

Here is a video Archibald created to show the bad effects of the Microsoft Edge bug:

Fixing the Wavethrough bug

The good news is that the Wavethrough browser vulnerability does not affect all browsers. It was only majorly discovered on the Microsoft Edge browser.

Mozilla Firefox could also be susceptible to the bug, but only its beta version was discovered to be vulnerable. However, the company’s developers fixed this issue before the bug was introduced to the main Firefox Stable release version.

Other major browsers like Chrome and Safari were found to be unaffected by the Wavethrough bug.

Microsoft codenamed the loophole as the “CVE-2018-8235 security vulnerability” and listed it as “bypass vulnerability.” The company has released updates to correct the flaw and offer users with a secure browsing experience.

Wrapping up

This is not the first time a significant security flaw is discovered on a major web browser. Therefore, improving your cyber security skills is critical to prevent your sensitive data from unauthorized access.

For example, Waqar Ahmed, who is a Certified Ethical Hacker and Certified Penetration Testing Engineer, teaches people simple tools and techniques for safeguarding themselves from falling victims to the hackers.

You can learn from him and secure your browsing experience—regardless of the browser you use!

About author

I, Dr. Michael J. Garbade is the co-founder of the Education Ecosystem (aka LiveEdu), ex-Amazon, GE, Rebate Networks, Y-combinator. Python, Django, and DevOps Engineer. Serial Entrepreneur. Experienced in raising venture funding. I speak English and German as mother tongues. I have a Masters in Business Administration and Physics, and a Ph.D. in Venture Capital Financing. Currently, I am the Project Lead on the community project -Nationalcoronalvirus Hotline I write subject matter expert technical and business articles in leading blogs like Opensource.com, Dzone.com, Cybrary, Businessinsider, Entrepreneur.com, TechinAsia, Coindesk, and Cointelegraph. I am a frequent speaker and panelist at tech and blockchain conferences around the globe. I serve as a start-up mentor at Axel Springer Accelerator, NY Edtech Accelerator, Seedstars, and Learnlaunch Accelerator. I love hackathons and often serve as a technical judge on hackathon panels.