Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs (zdnet.com)

Posted by msmash on from the fyi dept.

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

59 of 127 comments (clear)

  1. Microsoft security by QuietLagoon · · Score: 4, Insightful

    An oxymoron if I ever saw one.

  2. Is this like Net Neutrality. by jellomizer · · Score: 3, Interesting

    Except for a fast lane, big companies are bypassing necessary security blocks to "trusted" (aka paying) sites.
    These free passes are really an issue on the open web. As it means Facebook can have features enabled that other sites may not (at least without a warning).

    As doing web development, when I see something interesting, I will dig into the code to figure it out. Like how Google gave the search suggestions while typing, and Google Maps a while back, that is where I learned Ajax. But if all the major browser makers, just made a <GoogleSearchAhead> tag If I were to try to make something based on the technology, it would be blocked to me.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Is this like Net Neutrality. by Anonymous Coward · · Score: 1

      Except for a fast lane, big companies are bypassing necessary security blocks to "trusted" (aka paying) sites.
      These free passes are really an issue on the open web. As it means Facebook can have features enabled that other sites may not (at least without a warning).

      You can do everything you need to do and live a very nice life without Facebook or Edge.

      Don't use Edge and Facebook blocked in hosts file (and at the router, just to be sure). Problem solved.

    2. Re:Is this like Net Neutrality. by viperidaenz · · Score: 1

      You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.
      Browsers are moving towards dns over http, which bypasses your hosts file.

      Good luck with your blocking.

    3. Re:Is this like Net Neutrality. by Anonymous Coward · · Score: 1

      I may not use Facebook. But it provides some value to many of the users. To protect their IP, Facebook may implement certain features explicitly through flash. Nothing wrong with that. They spent resources on it and want to keep it away from the competitors.

      However if I figure it out on my own or would like to protect my IP similar to how FB does, visitors to my site would be shown a warning and discouraged from enabling the nice feature I developed. I am at an unfair disadvantage at this point.

      Also, flash has documented history of security vulnerabilities. If FB flash is whitelisted, god knows what level of freedom is given - storage limits, reading files outside their sandbox, etc. And user is not even made aware of this exception. After a tech savvy user knows this and figures out a way to indicate that FB should not be on the whitelist (dunno if that's even possible), what guarantee is there to actually honor user's preference?

    4. Re:Is this like Net Neutrality. by jellomizer · · Score: 2

      The issue isn't DRM, but the fact that Facebook has an unfair advantage, in terms of it having Flash greenlighted to them. While someone else, if they chose to use flash will get warnings, and wouldn't have the resources to get MS to green-light it for them.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    5. Re:Is this like Net Neutrality. by msauve · · Score: 1

      Perhaps, but any decent firewall can block based on much more than IP addresses. Create your own cert, and run it as an SSL proxy, so it can inspect your own https traffic.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    6. Re:Is this like Net Neutrality. by fahrbot-bot · · Score: 3, Informative

      You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.

      Kashmir Hill at Gizmodo did a series where she spent a week each blocking Amazon, Facebook, Google, Microsoft, and Apple from her life (devices and internet sites), then a week blocking them all. (link to series) She had a friend setup a VPN for her devices configured to block access to the provider(s) and she noted in the articles how many IPs each controlled: Amazon: 23 million, Apple: 6 million, Facebook: 122,880, Google: 8 million, Microsoft: 21 million -- there's a link in each article to the data. She noted that blocking / not using Amazon was virtually impossible.

      Browsers are moving towards dns over http, which bypasses your hosts file.

      Don't know about Chrome (or other browsers), but this can be controlled and/or disabled in Firefox by setting "network.trr.mode" to 0. From my Firefox / Thunderbird "user.js" file:

      // https://blog.nightly.mozilla.o...
      // https://wiki.mozilla.org/Trust...
      // 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
      // 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.

      user_pref("network.trr.mode", 0);

      --
      It must have been something you assimilated. . . .
    7. Re: Is this like Net Neutrality. by Archangel+Michael · · Score: 1

      Add in Pi-Hole to the mix, and you'll be even better off.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    8. Re:Is this like Net Neutrality. by viperidaenz · · Score: 1

      Sounds like a good way to compromise security and performance in one shot.

      I suppose you could do some kind of dynamic IP blocking, by using the router as a DNS proxy, and blocking what ever IP addresses are resolved for specific host names. That doesn't work with dns-over-http but it's better than maintaining a huge list of ever changing IP addresses.

    9. Re:Is this like Net Neutrality. by _merlin · · Score: 1

      This is something that really shouldn't be buried like this. When using the OS name resolver, I can point it at a DNS server that I control or trust, and alter resolution with the hosts file if necessary. With TRR, it goes to a provider of Mozilla's choosing that I have no control over and have no reason to trust. This kind of stuff shouldn't be hidden in an obscure, hard-to-find setting.

    10. Re:Is this like Net Neutrality. by msauve · · Score: 1

      "Sounds like a good way to compromise security and performance in one shot."

      Sounds like it to you, but then you obviously don't know much about network security. It's a very common enterprise solution, where any security or performance issues are much more pronounced than in a home environment.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    11. Re:Is this like Net Neutrality. by fahrbot-bot · · Score: 1

      With TRR, it goes to a provider of Mozilla's choosing that I have no control over and have no reason to trust.

      As mentioned in both Mozilla links I included, you can specify the DoH server with "network.trr.uri" :

      Link 1: 4. Set "network.trr.uri" to your DoH server. Cloudflare’s is https://mozilla.cloudflare-dns... but you can use any DoH compliant endpoint.

      Link 2: Set "network.trr.uri". Ones that you may use: https://mozilla.cloudflare-dns..., https://dns.google.com/experim...

      I believe I read that Google is considering a GUI implementation for the DoH configuration for Chrome.

      --
      It must have been something you assimilated. . . .
    12. Re:Is this like Net Neutrality. by _merlin · · Score: 1

      So it can be changed in another buried setting that I have to fuck around searching for and won't remember. Lovely. Do I need to get another add-on to manage this like I had to get CookieBro to manage individual cookies? I really hate this dumbing down of the browser.

    13. Re:Is this like Net Neutrality. by viperidaenz · · Score: 1

      The enterprise solutions aren't perfect.
      Not only does it slow things down, it increases latency too. These are compromises enterprises make to monitor traffic.
      You end up with a situation where your browser never sees the certificate from the website in question. You can't inspect it yourself.
      You have another certificate store to keep up to date.
      It completely breaks public key pinning and fires off reports for public key pin reporting.
      You don't have a choice to ignore certificate errors.

      The one I'm behind right now makes an exception for Extended Validation certificates, it doesn't intercept them at all so users who expect to see an EV cert in the address bar can still see it and know its still secure.

  3. Re:lol k by ThomasD3 · · Score: 1

    He probably gave up on the internet :) The funny thing is that after MS tortured everyone with IE, even if Edge was amazing, most of us wouldn't even give it a chance.

  4. Both Edge users are terribly upset by spywhere · · Score: 3, Funny

    (sorry)

    1. Re:Both Edge users are terribly upset by DickBreath · · Score: 1

      Why are you sorry? Both Edge users aren't upset, but are happy that they can play their Facebook Flash games. And that is probably about the only thing that a Microsoft browser is good for. Especially since REAL browsers aren't the most welcoming of Flash. And Facebook and its third parties cannot be bothered to migrate from Flash to a more 21st century technology.

      --

      I'll see your senator, and I'll raise you two judges.
  5. Yet again I calll for browser indepenance by xack · · Score: 1

    And yet again no one listens. I expect Mozilla and Google have "secret lists" too. Brave was recently exposed sending "secret headers" to certain websites too.

    1. Re:Yet again I calll for browser indepenance by rudy_wayne · · Score: 1

      Feel free to go ahead and develop an independent browser. Nobody is stopping you.

      Oh, that's right, you want somebody else to do it.

    2. Re:Yet again I calll for browser indepenance by green1 · · Score: 5, Insightful

      Not everyone is a skilled coder. Some people just want to use the internet without being a victim. Telling them to build their own browser isn't exactly helpful.

    3. Re:Yet again I calll for browser indepenance by religionofpeas · · Score: 1

      Feel free to go ahead and develop your own internet, then.

    4. Re:Yet again I calll for browser indepenance by Dragonslicer · · Score: 1

      Feel free to go ahead and develop your own internet, then.

      But this one already has blackjack and hookers, so what's the point?

    5. Re:Yet again I calll for browser indepenance by WCMI92 · · Score: 1

      A hosts file doesn't take any great amount of expertise to edit.

      The problem is that in Windows 10 and the later versions of Windows server not even Administrator is Administrator.

      So Microsoft trusts Facebook more than it's customers. That is like trusting a burglar over a homeowner. And I am not at all wrong in the comparison. Zuckerberg/Sandberg are known abusers.

      --
      Corporatism != Free Market
    6. Re:Yet again I calll for browser indepenance by scdeimos · · Score: 1

      The problem is that in Windows 10 and the later versions of Windows server not even Administrator is Administrator.

      UAC has been around since at least Windows Vista. Has nobody ever shown you the Run as Administrator options so you can do administrative things with the Administrator account?

    7. Re:Yet again I calll for browser indepenance by grep+-v+'.*'+* · · Score: 1

      Not everyone is a skilled coder. Telling them to build their own browser isn't exactly helpful.

      ??? You don't need to, it's all easy enough -- doesn't everyone know "telnet site 80"? It's all that math at 443 that's hard -- the sage Barbie was PRESCIENT!

      Although binary-decoding moving GIFs in your head in real-time IS fairly hard, I'll give you that.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    8. Re:Yet again I calll for browser indepenance by Waccoon · · Score: 1

      More appropriately, many of the problems we experience in communication technology are driven by politics. It's really hard to develop a technical solution to a political problem, no matter how much skill and spare time you have.

      I've been running my own e-mail server for over 15 years, because I don't want my ISP or a media mogul to do it for me. Ask me how many mails I can actually send/receive with so many big networks blacklisting smaller domains they don't recognize. Oh well... might as well give up and get a Discord like everyone else! All the cool kids are doing it (since they allready forgot what happened to Skype).

    9. Re:Yet again I calll for browser indepenance by green1 · · Score: 1

      I've been running my own mail server for almost 20 years. I have no trouble sending or receiving mail to any of the big players. There are a couple of caveats though, you must have several things in place in the modern world of email:
      - you must be hosted on a "server" IP, if big names think it's a dynamic or residential IP, you'll never get through.
      - Reverse DNS that matches your domain's MX
      - SPF records
      - DKIM signatures
      - DMARC records
      - No open relays, all your users must be authenticated.
      - Never let SPAM, or anything that could be construed as SPAM originate from your server.
      And for your own sanity:
      - Positively exceptional SPAM filtering

      Failure to have any of those set up perfectly will get you in big trouble. But with all of that set up right, I haven't had any problems.

  6. THIS is why closed-source is bad by Anonymous Coward · · Score: 5, Insightful

    I mean, come on, the fact they encrypted the list and it had to be brute-forced meant that a) Microsoft didn't want us know and b) they knew it was sneaky. How much more anti-consumer can a program be -- it was hiding intentional violations of its own touted 'security policies' for some privileged group that isn't the user.

    1. Re:THIS is why closed-source is bad by thegarbz · · Score: 1

      Did you post this from a personally vetted browser? Or do you just assume because something is magically open source that someone else trustworthy vetted it for you?

  7. How is this different from other browsers? by The+MAZZTer · · Score: 4, Insightful

    In the transition time to deprecating Flash and removing it from browsers entirely, there are still sites that use Flash and users of those sites which rely on it. So, all of the browsers have a whitelist which allows some sites to continue working while preventing others from introducing brand-new Flash content. This helps with the transition. Eventually the browsers narrow this list down in scope and add more security barriers in front of Flash until they can remove it entirely. That sounds exactly like what is happening here; the whitelist is down to two entries both of which are extremely popular sites. The whitelist and Flash itself will likely be removed at some point. I am not sure why the cause for alarm here; it wasn't too long ago that flash ran by default on ALL websites.

    I think the only real point of concern here is the lack of click to play, especially since anyone can make a Flash app with who knows what spyware as content and get it uploaded as a Facebook app.

    1. Re:How is this different from other browsers? by viperidaenz · · Score: 5, Insightful

      Because it's a "secret" list users don't have the ability to change.

      Facebook obviously doesn't need to use Flash to function, as Chrome and Firefox don't have this exemption.

    2. Re:How is this different from other browsers? by DontBeAMoran · · Score: 1

      You think FACEBOOK has been too small and without have enough ressources to remove anything Flash-related for the last decade?

      --
      #DeleteFacebook
    3. Re:How is this different from other browsers? by AHuxley · · Score: 1

      Ad company gets the approved power to do that?

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:How is this different from other browsers? by tepples · · Score: 1

      Flash has been dangerous to run for 20 years

      Twenty years ago, what would have been superior to Flash for making things like All Your Base, Hatt-baby, Hyakugojyuuichi, Badger Badger Badger, Weebl and Bob, Homestar Runner, and everything on Newgrounds? Consider that many people still had 0.05 Mbps Internet at the time.

    5. Re:How is this different from other browsers? by dunkelfalke · · Score: 1

      It would still be superior for that task. All that classic stuff has been converted to streaming video nowadays, eating far more bandwidth, yet with worse quality.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    6. Re:How is this different from other browsers? by jbmartin6 · · Score: 1

      More interesting, perhaps, is Facebook knew nothing about it and asked for their domains to be removed. At least that is what they said.

      --
      This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
  8. Re:And this is why... by rudy_wayne · · Score: 1

    And you know this because you have carefully examined every line of source code, right?

  9. What's that? by raymorris · · Score: 2

    > Don't use Edge and Facebook blocked in hosts file

    What is hosts file and how do you block things in it?

    1. Re:What's that? by DontBeAMoran · · Score: 1

      What is hosts file and how do you block things in it?

      Oh shit, now you've done it.

      Prepare for hosts-related spamming in this thread! Everyone take cover!

      --
      #DeleteFacebook
    2. Re:What's that? by dryeo · · Score: 1

      https://raw.githubusercontent....
      or start here,
      https://github.com/StevenBlack...

      --
      https://en.wikipedia.org/wiki/Inverted_totalitarianism
  10. So it's trivial for a wifi portal to run Flash by viperidaenz · · Score: 4, Interesting

    All you need to do is redirect your "WiFi login" page to a whitelisted domain, MITM that domain, since you control the wifi network, and deliver what ever malicious Flash content you desire.
    Easy to do, since the whitelist is not restricted to HTTPS connections.

  11. Re:Hardware firewall by green1 · · Score: 4, Interesting

    As pointed out earlier by another poster, that's getting harder and harder as well.

    More programs *cough*Chrome*cough* are using their own internal resolvers instead of the system one, and running those over HTTPS specifically to bypass local domain blocks. IP blocks are also difficult with today's CDNs with large numbers of ever changing IPs, and domain based virtual hosts.

    Sure, you can get around all this for now, but I'm not sure that long term you'll be able to.

  12. Re:this is why... by viperidaenz · · Score: 1

    Which has supported Flash since 1996

  13. Re:this is why... by green1 · · Score: 1

    Navigator? c'mon, real men use lynx!

  14. Re:this is why... by chthon · · Score: 1

    Emacs M-x browse-web

  15. Better joke: by Anonymous Coward · · Score: 4, Funny

    How many Edge users were upset to learn about the secret whitelist that allows Facebook to run Flash?

    Both!

  16. Facebook can't be trusted by WCMI92 · · Score: 2

    As even Apple has learned. Now Microsoft will be burned.

    --
    Corporatism != Free Market
    1. Re:Facebook can't be trusted by strikethree · · Score: 1

      As even Apple has learned. Now Microsoft will be burned.

      Really?! Microsoft gave themselves access to ALL of your files and you think that THIS misuse of trust is the one that will get them?

      Pardon me for a second. I can't type while I am laughing so hard. I think I might be getting a broken rib here. OMGWTFBBQ

      --
      "Someone needs to talk to the tree of liberty about its ghoulish drinking problem." by ohnocitizen
  17. vmware by nnet · · Score: 1

    and vsphere mgmt.

  18. Re:this is why... by PPH · · Score: 1

    NCSA Mosaic.

    --
    Have gnu, will travel.
  19. Re:pihole breaks mobile apps by Archangel+Michael · · Score: 1

    Hey Wiretap, what is a good recipe for Chocolate Cake?

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  20. Who still uses Edge? by Locke2005 · · Score: 2

    Other than as the world's most popular method of downloading Chrome...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.
  21. Re: Hardware firewall by cunina · · Score: 1

    Chrome does DNS query caching; it doesnâ(TM)t have its own DNS it consults.

  22. Re:Joke: by Darinbob · · Score: 1

    But I came here for an argument!

  23. Ohhhhh by JustAnotherOldGuy · · Score: 1

    Nothing nefarious here, just good ol' Microsoft secretly fucking over you and your PC behind your back.

    I will say this is different; usually they do it right to your face.

    So glad I switched to Mint, not that I ever would have allowed Edge* to run. The ONLY thing Edge might be good for is downloading another browser, beyond that it's pure rubbish.

    .

    *Edge, AKA "The Little Browser That Couldn't"

    --
    Just cruising through this digital world at 33 1/3 rpm...
  24. Re:And this is why... by JustAnotherOldGuy · · Score: 1

    ...and compiled it yourself?

    Yes, and I wrote the compiler and fabricated the integrated circuits myself.

    --
    Just cruising through this digital world at 33 1/3 rpm...
  25. MS chrome browser by sad_ · · Score: 1

    expect the same tricks from the MS chrome based browser, another reason just to not use it.
    changing rendering engines will not make me change my mind.

    --
    On a long enough timeline, the survival rate for everyone drops to zero.
  26. Re: Hardware firewall by green1 · · Score: 1

    After investigating, it looks like Google backtracked on it, and removed the async dns resolver a little while ago (here's a post that talks about what it was: https://discourse.pi-hole.net/t/disable-async-dns-resolver-in-google-chrome/9500)

    So yes, Chrome DID have it's own internal resolver, but they seem to have backtracked and now only have a cache (which still will cause problems if you're switching between servers such as internal corporate DNS to outside world when you connect/disconnect your company VPN).

    That said other apps (especially mobile games) have been caught with their own internal resolvers so as to ensure no adblocker (or malware blocker) can be used.