A weird Edge bug that was fixed earlier this month, allows a malicious website to retrieve content from other sites by playing audio files in a malformed manner that produces unintended consequences.
"This is a huge bug," said Jake Archibald, the Google developer who discovered this bug.
"It means you could visit my [proof-of-concept] site in Edge, and I could read your emails, I could read your Facebook feed, all without you knowing."
The bug occurs when a malicious site uses service workers to load multimedia content inside an < audio > tag from a remote site, while also using the "range" parameter to load just a specific section of that file.
Archibald says that because of inconsistencies in how browsers treat files loaded via service workers inside audio tags, it is possible to load any content inside the malicious site.
Under normal circumstances, this wouldn't be possible because of CORS —Cross-Origin Resource Sharing— a browser security feature that prevents sites from loading resources from other sites.
But in this weird configuration, the attacker's site is able to issue "no-cors" requests that the receiving site —such as Facebook, Gmail, or BBC— will honor without any problems.
This allows the attacking site to load content hidden behind authentication procedures, content that no online service in its right mind would allow to be loaded on random domains.
The good news is that this bug is not universal, and has been fixed in all browsers at the time of writing.
Archibald says the bug —which he jokingly named Wavethrough (CVE-2018-8235)— affected only Edge and Firefox, but not Chrome, nor Safari.
Only in-dev Firefox Nightly versions were affected, and Mozilla engineers fixed the issue in its Nightly version before the bug ever made it into the main Firefox Stable release.
Despite facing some hurdles in reporting the issue to Microsoft, the OS maker also fixed the Wavethrough bug in the June 2018 Patch Tuesday fixes.
Because of the bug's high severity, Edge users are advised to apply all the appropriate Microsoft Edge patches, lest remaining vulnerable to this type of attack.
Archibald suspects that Chrome accidentally patched the Wavethrough bug because of other patches it implemented in 2015 in regards to another bug affecting the "range" audio/video selector.
Since reporting the Wavethrough bug, Archibald has also worked to improve web standards so they become more clear on how browsers should handle the loading of resources from other sites via service worker requests [1, 2].
Archibald published a proof-of-concept site to demo the bug and recorded the following YouTube video to show users how Wavethrough exposed content from the BBC website just by playing an audio file on another site.