Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

So it's trivial for a wifi portal to run Flash

[viperidaenz]

All you need to do is redirect your "WiFi login" page to a whitelisted domain, MITM that domain, since you control the wifi network, and deliver what ever malicious Flash content you desire.
Easy to do, since the whitelist is not restricted to HTTPS connections.

Re:Hardware firewall

[green1]

As pointed out earlier by another poster, that's getting harder and harder as well.

More programs *cough*Chrome*cough* are using their own internal resolvers instead of the system one, and running those over HTTPS specifically to bypass local domain blocks. IP blocks are also difficult with today's CDNs with large numbers of ever changing IPs, and domain based virtual hosts.

Sure, you can get around all this for now, but I'm not sure that long term you'll be able to.