A now fixed security flaw in the Microsoft Edge web browser may have been misused to install arbitrary extensions on users’ systems and perform malicious actions.
“This flaw could have allowed an attacker to exploit a private API, initially intended for marketing purposes, to surreptitiously install additional browser extensions with broad permissions without the user’s knowledge,” said the security researcher from Guardio Labs Oleg Zaytsev in a new report shared with The Hacker. News.
Tracked as CVE-2024-21388 (CVSS score: 6.5), it was fixed by Microsoft in the stable version of Edge 121.0.2277.83 released on January 25, 2024, following the responsible disclosure in November 2023. The Windows manufacturer attributed Both Zaytsev and Jun Kokatsu deserve credit for pointing out the problem.
“An attacker who successfully exploits this vulnerability could gain the necessary privileges to install an extension,” Microsoft said in an advisory about the flaw, adding that it “could lead to an escape from the browser sandbox.”
Describing it as a privilege escalation flaw, the tech giant also emphasized that effective exploitation of the bug requires an attacker to “take additional actions prior to exploitation to prepare the target environment.”
According to Guardio’s findings, CVE-2024-21388 allows an attacker to execute JavaScript on bing[.]com or microsoft[.]com to install any extensions from the Edge add-ons store without requiring user consent or interaction.
This is made possible by the fact that the browser has privileged access to certain private APIs that allow you to install an add-on as long as it comes from the vendor’s extension market.
One such API in the Chromium-based Edge browser is edgeMarketingPagePrivate, which is accessible from a number of whitelisted websites that belong to Microsoft, including Bing[.]com, Microsoft[.]com, microsoftedgewelcome.microsoft[.]com and microsoftedgetips.microsoft[.]com, among others.
The API also includes a method called installTheme() which, as the name suggests, is designed to install a theme from the Edge add-ons store by passing a unique theme identifier (“themeId”) and its manifest file as input.
The bug identified by Guardio is essentially a case of insufficient validation, thus allowing an attacker to provide any extension identifier from the storefront (as opposed to the themeId) and install it covertly.
“As an added benefit, since the installation of this extension is not done exactly the way it was originally designed, no user interaction or consent will be required,” Zaytsev explained.
In a hypothetical attack scenario exploiting CVE-2024-21388, a threat actor could publish a seemingly harmless extension to the add-ons store and use it to inject a malicious piece of JavaScript code into Bing[.]com – or any of the sites that are allowed to access the API – and install an arbitrary extension of their choice by calling the API using the extension identifier.
In other words, by running the specially crafted extension on your Edge browser and going to Bing[.]com will automatically install the targeted extension without the victim’s permission.
Guardio told The Hacker News that while there is no evidence that this bug is being exploited in the wild, it highlights the need to balance user convenience and security, and how browser customizations can inadvertently defeat security mechanisms and introduce several new attack vectors.
“It is relatively easy for attackers to trick users into installing an extension that appears harmless, without realizing that it serves as an initial step in a more complex attack,” Zaytsev said. “This vulnerability could be exploited to facilitate the installation of additional extensions, potentially for profit.”