Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

THIS is why closed-source is bad

I mean, come on, the fact they encrypted the list and it had to be brute-forced meant that a) Microsoft didn't want us know and b) they knew it was sneaky. How much more anti-consumer can a program be -- it was hiding intentional violations of its own touted 'security policies' for some privileged group that isn't the user.

Re:How is this different from other browsers?

[viperidaenz]

Because it's a "secret" list users don't have the ability to change.

Facebook obviously doesn't need to use Flash to function, as Chrome and Firefox don't have this exemption.

Re:Yet again I calll for browser indepenance

[green1]

Not everyone is a skilled coder. Some people just want to use the internet without being a victim. Telling them to build their own browser isn't exactly helpful.