After issuing a patch, users are encouraged to make sure they are using the latest version of the browser.
According to reports of experts in information security training from the International Institute of Cyber Security, a Google developer has discovered a serious vulnerability that affects Microsoft Edge and other browsers, and that could provide an attack access to the victim’s private information.
“It’s a huge bug, it means you could visit my site on Edge, and I could read your emails, or have access to your Facebook account, all without you knowing it”, wrote Jake Archibald, who found the security hole in a circumstantial way.
If exploited, the vulnerability, labeled as CVE-2018-8235, could allow a remote attacker to retrieve content from other tabs within the victim’s browser. This includes sites that ask users to authenticate themselves.
Of the four main search engines, the bug mostly affected Microsoft Edge. Having been alerted about the error, Microsoft released a patch in its June 2018 update. For Firefox, only the beta versions were affected, and Mozilla was quick to correct the error before it could affect the users of their current version; Safari and Chrome were not affected.
The bug has to do with the way browsers treat cross-source requests to media content. According to experts in information security training, the vulnerability can be exploited when a malicious website uses service workers to load content into an “audio” label from another domain while simultaneously using the “range” parameter to find only one section of that file.
Browsers don’t always respond in the same way when they upload files inside audio tags from other locations with the help of service workers, and a malicious website can search for that content from another site.
Microsoft referred to the bug as “a security feature bypass vulnerability that exists when Microsoft Edge treats inappropriately requests from different sources”.
Information security training experts argue that an attacker who successfully exploits the vulnerability could force the browser to send data that would otherwise be restri