Microsoft Edge has a security flaw, which stems from the universal cross-site scripting (UXSS) triggered when translating web pages via Microsoft Translator, the browser's built-in feature.

While UXSS is an attack that exploits client-side vulnerabilities in a browser or browser extensions to generate an XSS condition to execute malicious code; the Edge flaw tracked as CVE-2021-34506 has CVSS score of 5.4 and the discovery credited to Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh of CyberXplore.

Microsoft, however, has already rolled out updates for the Edge browser with fixes for the issue and subsequently awarded the researchers $20,000 as part of its bug bounty program.

How the Edge Browser Flaw Could have allowed anyone to Steal Your Private Data?



Microsoft Translator Which comes pre-installed on Edge browser has a vulnerable code which takes any html tags having an “>img tag without sanitising the input or converting payload to text while translating so that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as JavaScript as no proper validation check which does sanitization or convert DOM into text and then process it for translation.



As the translation feature failed to sanitize input, it could allow an attacker to insert malicious JavaScript code in any web page and subsequently execute it if the user clicks on the prompt in the address bar to translate the page.

Also, web based applications on Windows store may be vulnerable to this kind of attack as Windows stores ships apps with Microsoft Translator which was responsible for triggering the Universal XSS (UXSS) attack.

What Edge Browser users Need to do Right away



Microsoft has fixed the issue with the latest Edge update, version 91.0.864.59 now available for download.

Therefore, it is recommended that Edge users should promptly update their browser by going to Settings and more > About Microsoft Edge (edge://settings/help) to initiate the update, if not done automatically.

Edge Browser flaw exposes users Personal Data to any website

Microsoft Edge has a security flaw, which stems from the universal cross-site scripting (UXSS) triggered when translating web pages via Microsoft Translator, the browser's built-in feature.

While UXSS is an attack that exploits client-side vulnerabilities in a browser or browser extensions to generate an XSS condition to execute malicious code; the Edge flaw tracked as CVE-2021-34506 has CVSS score of 5.4 and the discovery credited to Ignacio Laurence, Vansh Devgan and Shivam Kumar Singh of CyberXplore.

Microsoft, however, has already rolled out updates for the Edge browser with fixes for the issue and subsequently awarded the researchers $20,000 as part of its bug bounty program.

How the Edge Browser Flaw Could have allowed anyone to Steal Your Private Data?



Microsoft Translator Which comes pre-installed on Edge browser has a vulnerable code which takes any html tags having an “>img tag without sanitising the input or converting payload to text while translating so that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as JavaScript as no proper validation check which does sanitization or convert DOM into text and then process it for translation.



As the translation feature failed to sanitize input, it could allow an attacker to insert malicious JavaScript code in any web page and subsequently execute it if the user clicks on the prompt in the address bar to translate the page.

Also, web based applications on Windows store may be vulnerable to this kind of attack as Windows stores ships apps with Microsoft Translator which was responsible for triggering the Universal XSS (UXSS) attack.

What Edge Browser users Need to do Right away



Microsoft has fixed the issue with the latest Edge update, version 91.0.864.59 now available for download.

Therefore, it is recommended that Edge users should promptly update their browser by going to Settings and more > About Microsoft Edge (edge://settings/help) to initiate the update, if not done automatically.

No comments