Web browser Microsoft Edge appears to contain a secret whitelist. It allows Facebook to run Adobe Flash code without the user’s knowledge or consent. The whitelist enables Facebook to circumvent certain security requirements that apply to Flash.
Normally it is mandatory for a website to ask for the user’s permission before running Flash content. However, Ivan Fratric, researcher at Google Project Zero, reports that until February 2019 a very extensive secret whitelist existed in Microsoft Edge. This whitelist comprised 58 domains that were allowed to circumvent these security measures. In the meantime, the whitelist has been reduced to two domains of Facebook.
Vulnerabilities discovered
According to Fratric, the list included domains and subdomains of Microsoft’s main site, but also the MSN portal, music streaming service Deezer, Yahoo and the Chinese social network QQ. There appeared to be certain vulnerabilities in the way the whitelist works. As a result, the site of a Spanish hairdresser, for example, could also get an exception. Fratric reported the vulnerabilities to Microsoft in November.
At Patch Tuesday this month, Microsoft finally released fixes for the reported problems. Not only have these problems been solved, but the number of sites on the whitelist has also been significantly reduced. Of the 58 domains that were originally excluded, only two remain. In addition, all domains on the whitelist must be an https domain. Interestingly, the bug report also contains a list of all 58 originally excluded domains.
Facebook excluded
In the current version, Edge only allows Facebook to run Flash widgets without the user’s permission. These are widgets with a maximum size of 398 by 298 pixels, which are hosted on https://www.facebook.com or https://apps.facebook.com. Presumably the choice for Facebook was made because many of the games on the social network still run on Flash. For all other Flash widgets on other sites, Edge now simply asks for the user’s permission.
This means that a site may no longer use Flash without the user’s specific permission. On Twitter, Fratric once again expresses his surprise at the whitelist:
This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.The default Flash whitelist in Edge (https://t.co/JxStUIxByE) really surprised me. So many sites for which I'm completely baffled as to why they're there. Like a site of a hairdresser in Spain(https://t.co/50xdJvzksA)?! I wonder how the list was formed. And if MSRC knew about it.
— Ivan Fratric 💙💛 (@ifsecure) February 19, 2019
1 day ago
