Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs.
The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.
Prior to February 2019, the secret Flash whitelist contained 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ, just to name the biggest names on the list.
Microsoft trimmed down the list to two Facebook domains earlier this month after a Google security researcher discovered several security flaws in Edge's secret Flash whitelist mechanism.
Ivan Fratric, the Google Project Zero security researcher who found the this whitelist, described the security flaws he found as follows:
- An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
- There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains.
- The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
Hi! I am a robot. I just upvoted you! I found similar content that readers might be interested in:
https://www.zdnet.com/article/microsoft-edge-lets-facebook-run-flash-code-behind-users-backs/
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit
Votado
Downvoting a post can decrease pending rewards and make it less visible. Common reasons:
Submit