A few days ago, security researchers announced extensions host permission bypass vulnerabilities and details in Microsoft Edge browser. This problem has been fixed in Microsoft’s routine update in March 2019, but researchers have only published the details of the vulnerability until now based on security concerns. This vulnerability is primarily triggered by browser extensions. In principle, each extension has specific permissions and is subject to manual human review by Microsoft. However, the vulnerability allows an attacker to use a malicious extension to read and access all websites, such as when the mailbox is opened, the extension can read the contents of the message.
Under normal circumstances, the extension program can only apply for the permission of the corresponding function. If there is no permission, the extension program cannot call the corresponding function to read the data. The extension itself has a lot of permissions, such as reading the user’s bookmarks, history, forms and passwords, and locally stored information. Some extension programs require special permissions with large permissions because of the function. For example, the password manager can manage and read the account passwords of all websites. Of course, when the extension is uploaded to the Microsoft Store, it needs to be manually reviewed, so if the audit finds that the permissions do not correspond to the function, Microsoft will refuse to be on the shelves.
In actual attacks, hackers can use this vulnerability to read sensitive information from any website, but hackers must convince users to click on a hacker-specific website. When the permission is successfully obtained, the hacker can read the information of all the websites, for example, the hacker can directly read the complete content of the mail when the user views the mailbox.
Microsoft has fixed the vulnerability a few months ago so the researchers have published the full details of the vulnerability, and interested users can click here to view the details of the vulnerability.