Microsoft recently fixed a UXSS vulnerability in the Edge browser caused by the built-in Microsoft Translator. The bug was assigned the identifier CVE-2021-34506 (5.4 points on the CVSS scale), and it could be used to inject and execute arbitrary code in the context of any site.
The problem was discovered by several information security experts, including specialists from CyberXplore Private Limited, who spoke about the bug in more detail.
“Unlike conventional XSS attacks, UXSS (universal cross-site scripting) exploits vulnerabilities on the client side, in the browser itself or in its extensions, to create XSS and execute malicious code,” the researchers write. “When such vulnerabilities are discovered and exploited, it affects the behavior of the browser, and its security features can be bypassed or disabled.”
It turned out that the translator contained a fragment of vulnerable code, due to which it could not correctly clear the input data. This allowed an attacker to inject their malicious JavaScript anywhere on a web page, and then the code was executed when the user tried to translate that page.
As a PoC, the researchers demonstrated the attack by adding comments to YouTube videos. The comment was written in a language other than English and also contained an XSS payload.
Likewise, it was possible to exploit, for example, a friend request from a Facebook profile if it contained content in a different language and a payload. The code was executed after the recipient of the request checked the sender’s profile and used the translator.
Microsoft fixed this issue on June 24, 2021, and also paid researchers $ 20,000 through its bug bounty program.