Wavethrough: Critical Microsoft Edge bug could let a malicious website retrieve content from other sites

A strange Microsoft Edge bug dubbed “Wavethrough” has been discovered that could allow a malicious website to retrieve content from other websites. The vulnerability uncovered by Google employee Jake Archibald occurs when a malicious website uses service workers to load multimedia content inside an < audio > tag from a remote site while using the “range” parameter to load a specific portion of the file.

Archibald said it involves wave audio and data that is allowed through despite the fact that it shouldn’t be.

"This is a huge bug," said Jake Archibald, the Google developer who discovered this bug in a blog post. "It means you could visit my [proof-of-concept] site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing."

The “Wavethrough” vulnerability was assigned CVE-2018-8235, and affects only Edge and Firefox browsers. Chrome and Safari, on the other hand, are not affected, Archibald said.

Normally, the Cross-Origin Resource Sharing (CORS) feature in all modern browsers blocks websites from loading resources from other sites. However, the flaw in the affected browsers’ CORS configuration does not issue a "CORS" request for the receiving malicious site. This allows attacking site to load and retrieve content from random domains without any issues.

Chrome browser had a similar vulnerability affecting the "range" audio/video selector, which was later patched in 2015, Archibald said.

“These bugs started when browsers implemented range requests for media elements, which wasn't covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard,” he noted. “The result is the browsers all behave slightly differently, and some ended up with security issues.

“This is why standards are important. Chrome had a similar security issue a few years ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against.”

Archibald also published a proof-of-concept website to demonstrate how the bug could display content from other websites. He also recorded a demo YouTube video to show how Wavethrough could expose contents from BBC website, using an audio file played from another malicious site.

While Microsoft engineers issued a fix for this bug with the June 2018 patch Tuesday, Mozilla engineers quickly fixed the issue that affected only the Nightly version of the browser it spread to Firefox stable versions.