Slashdot Mirror
Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs (zdnet.com)
An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.
The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.
The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.
Except for a fast lane, big companies are bypassing necessary security blocks to "trusted" (aka paying) sites.
These free passes are really an issue on the open web. As it means Facebook can have features enabled that other sites may not (at least without a warning).
As doing web development, when I see something interesting, I will dig into the code to figure it out. Like how Google gave the search suggestions while typing, and Google Maps a while back, that is where I learned Ajax. But if all the major browser makers, just made a <GoogleSearchAhead> tag If I were to try to make something based on the technology, it would be blocked to me.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
All you need to do is redirect your "WiFi login" page to a whitelisted domain, MITM that domain, since you control the wifi network, and deliver what ever malicious Flash content you desire.
Easy to do, since the whitelist is not restricted to HTTPS connections.
As pointed out earlier by another poster, that's getting harder and harder as well.
More programs *cough*Chrome*cough* are using their own internal resolvers instead of the system one, and running those over HTTPS specifically to bypass local domain blocks. IP blocks are also difficult with today's CDNs with large numbers of ever changing IPs, and domain based virtual hosts.
Sure, you can get around all this for now, but I'm not sure that long term you'll be able to.