Microsoft recently improved important security shortages in the Internet Edge browser after two Cyber ​​security researchers – Vansh Devan from Uttar Pradesh and Shivam Kumar Singh from Haryana – told Microsoft about the same thing.
The duo found “vulnerable codes” involving UXSS (Universal Cross Site Script) in Microsoft Translator who came pre-installed in the Edge browser and reported the same thing under the Bounty Chromium program.
Microsoft paid the highest prize of $ 20,000 (approximately RS 15 lakh) to them.
While Shivam runs its own business and becomes a part-time bug hunt, Vansh has completed his third year in computer science B.Tech from a beautiful professional university and is a cyber security fan.
Security vulnerability, tracked as CVE-2021-34506, has been repaired in the latest release of Microsoft Edge Stable Channel (version 91.0.864.59).
The impact of security weakness is very severe like anyone who visits the website using the Microsoft Edge browser and pressing the Language button Translate to read content in the language they can inject arbitrary code to do whatever they want.
“We made a profile on Facebook with a name in different languages ​​and load XSS and send friend requests to victims (he uses Microsoft Edge) as soon as he checks his profile he is hacked (SCC popup due to automatic translation),” explained Vansh Devan who runs Cyberxplore Private Limited together with this friend Shivam Kumar Singh.
The only prerequisite for running a simple arbitrary code: Use the Microsoft Edge browser and stay on automatically.
Explain payload, cyberxplore team in their blog posts, “We have written reviews about Google for Hackenews companies with different languages ​​+ xss payload everyone who explores the Link Review (Popup XSS due to automatic translation).” Duo claims that they can even pass YouTube and the Windows Store application exploit this vulnerability.
“Unlike the General XSS attack, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extension to produce conditions of XSS, and carry out malicious code.
When such vulnerabilities are found and exploited, browser behavior is affected and its security features can be passed or Disabled, “he explained.