Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs (zdnet.com)

Posted by msmash on from the fyi dept.

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

15 of 127 comments (clear)

  1. Microsoft security by QuietLagoon · · Score: 4, Insightful

    An oxymoron if I ever saw one.

  2. Is this like Net Neutrality. by jellomizer · · Score: 3, Interesting

    Except for a fast lane, big companies are bypassing necessary security blocks to "trusted" (aka paying) sites.
    These free passes are really an issue on the open web. As it means Facebook can have features enabled that other sites may not (at least without a warning).

    As doing web development, when I see something interesting, I will dig into the code to figure it out. Like how Google gave the search suggestions while typing, and Google Maps a while back, that is where I learned Ajax. But if all the major browser makers, just made a <GoogleSearchAhead> tag If I were to try to make something based on the technology, it would be blocked to me.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    1. Re:Is this like Net Neutrality. by jellomizer · · Score: 2

      The issue isn't DRM, but the fact that Facebook has an unfair advantage, in terms of it having Flash greenlighted to them. While someone else, if they chose to use flash will get warnings, and wouldn't have the resources to get MS to green-light it for them.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
    2. Re:Is this like Net Neutrality. by fahrbot-bot · · Score: 3, Informative

      You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.

      Kashmir Hill at Gizmodo did a series where she spent a week each blocking Amazon, Facebook, Google, Microsoft, and Apple from her life (devices and internet sites), then a week blocking them all. (link to series) She had a friend setup a VPN for her devices configured to block access to the provider(s) and she noted in the articles how many IPs each controlled: Amazon: 23 million, Apple: 6 million, Facebook: 122,880, Google: 8 million, Microsoft: 21 million -- there's a link in each article to the data. She noted that blocking / not using Amazon was virtually impossible.

      Browsers are moving towards dns over http, which bypasses your hosts file.

      Don't know about Chrome (or other browsers), but this can be controlled and/or disabled in Firefox by setting "network.trr.mode" to 0. From my Firefox / Thunderbird "user.js" file:

      // https://blog.nightly.mozilla.o...
      // https://wiki.mozilla.org/Trust...
      // 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
      // 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.

      user_pref("network.trr.mode", 0);

      --
      It must have been something you assimilated. . . .
  3. Both Edge users are terribly upset by spywhere · · Score: 3, Funny

    (sorry)

  4. THIS is why closed-source is bad by Anonymous Coward · · Score: 5, Insightful

    I mean, come on, the fact they encrypted the list and it had to be brute-forced meant that a) Microsoft didn't want us know and b) they knew it was sneaky. How much more anti-consumer can a program be -- it was hiding intentional violations of its own touted 'security policies' for some privileged group that isn't the user.

  5. How is this different from other browsers? by The+MAZZTer · · Score: 4, Insightful

    In the transition time to deprecating Flash and removing it from browsers entirely, there are still sites that use Flash and users of those sites which rely on it. So, all of the browsers have a whitelist which allows some sites to continue working while preventing others from introducing brand-new Flash content. This helps with the transition. Eventually the browsers narrow this list down in scope and add more security barriers in front of Flash until they can remove it entirely. That sounds exactly like what is happening here; the whitelist is down to two entries both of which are extremely popular sites. The whitelist and Flash itself will likely be removed at some point. I am not sure why the cause for alarm here; it wasn't too long ago that flash ran by default on ALL websites.

    I think the only real point of concern here is the lack of click to play, especially since anyone can make a Flash app with who knows what spyware as content and get it uploaded as a Facebook app.

    1. Re:How is this different from other browsers? by viperidaenz · · Score: 5, Insightful

      Because it's a "secret" list users don't have the ability to change.

      Facebook obviously doesn't need to use Flash to function, as Chrome and Firefox don't have this exemption.

  6. What's that? by raymorris · · Score: 2

    > Don't use Edge and Facebook blocked in hosts file

    What is hosts file and how do you block things in it?

  7. So it's trivial for a wifi portal to run Flash by viperidaenz · · Score: 4, Interesting

    All you need to do is redirect your "WiFi login" page to a whitelisted domain, MITM that domain, since you control the wifi network, and deliver what ever malicious Flash content you desire.
    Easy to do, since the whitelist is not restricted to HTTPS connections.

  8. Re:Hardware firewall by green1 · · Score: 4, Interesting

    As pointed out earlier by another poster, that's getting harder and harder as well.

    More programs *cough*Chrome*cough* are using their own internal resolvers instead of the system one, and running those over HTTPS specifically to bypass local domain blocks. IP blocks are also difficult with today's CDNs with large numbers of ever changing IPs, and domain based virtual hosts.

    Sure, you can get around all this for now, but I'm not sure that long term you'll be able to.

  9. Re:Yet again I calll for browser indepenance by green1 · · Score: 5, Insightful

    Not everyone is a skilled coder. Some people just want to use the internet without being a victim. Telling them to build their own browser isn't exactly helpful.

  10. Better joke: by Anonymous Coward · · Score: 4, Funny

    How many Edge users were upset to learn about the secret whitelist that allows Facebook to run Flash?

    Both!

  11. Facebook can't be trusted by WCMI92 · · Score: 2

    As even Apple has learned. Now Microsoft will be burned.

    --
    Corporatism != Free Market
  12. Who still uses Edge? by Locke2005 · · Score: 2

    Other than as the world's most popular method of downloading Chrome...

    --
    I've abandoned my search for truth; now I'm just looking for some useful delusions.