Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs (zdnet.com)

Posted by msmash on from the fyi dept.

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

5 of 127 comments (clear)

  1. Microsoft security by QuietLagoon · · Score: 4, Insightful

    An oxymoron if I ever saw one.

  2. THIS is why closed-source is bad by Anonymous Coward · · Score: 5, Insightful

    I mean, come on, the fact they encrypted the list and it had to be brute-forced meant that a) Microsoft didn't want us know and b) they knew it was sneaky. How much more anti-consumer can a program be -- it was hiding intentional violations of its own touted 'security policies' for some privileged group that isn't the user.

  3. How is this different from other browsers? by The+MAZZTer · · Score: 4, Insightful

    In the transition time to deprecating Flash and removing it from browsers entirely, there are still sites that use Flash and users of those sites which rely on it. So, all of the browsers have a whitelist which allows some sites to continue working while preventing others from introducing brand-new Flash content. This helps with the transition. Eventually the browsers narrow this list down in scope and add more security barriers in front of Flash until they can remove it entirely. That sounds exactly like what is happening here; the whitelist is down to two entries both of which are extremely popular sites. The whitelist and Flash itself will likely be removed at some point. I am not sure why the cause for alarm here; it wasn't too long ago that flash ran by default on ALL websites.

    I think the only real point of concern here is the lack of click to play, especially since anyone can make a Flash app with who knows what spyware as content and get it uploaded as a Facebook app.

    1. Re:How is this different from other browsers? by viperidaenz · · Score: 5, Insightful

      Because it's a "secret" list users don't have the ability to change.

      Facebook obviously doesn't need to use Flash to function, as Chrome and Firefox don't have this exemption.

  4. Re:Yet again I calll for browser indepenance by green1 · · Score: 5, Insightful

    Not everyone is a skilled coder. Some people just want to use the internet without being a victim. Telling them to build their own browser isn't exactly helpful.