Microsoft Edge was vulnerable to a unique flaw that allowed threat actors to install malicious extensions on the browser, without the victim’s knowledge, or consent. This could lead to a wide array of security incidents, as extensions can grab screenshots, store sensitive user data, and more.
The good news is that the flaw was discovered last year, and patched earlier this year – so if you’re using Edge, chances are you’re already protected against this vulnerability.
As per a report on The Hacker News, security researchers from Guardio Labs discovered a privilege escalation flaw, which is now tracked as CVE-2024-21388. It carries a severity score of 6.5, and revolves around the fact that Edge was designed to have privileged access to some private APIs. This access makes it possible for the browser to install add-ons in the background, as long as they’re from the vendor’s extensions store.
Abusing legitimate APIs
One of the APIs is called edgeMarketingPagePrivate which can, among other things, install themes from the Edge Add-ons store. In theory, threat actors could trick this API to install a malicious extension instead of a theme.
The process would look like this: a threat actor would first need to create a seemingly benign add-on for Edge, which would inject malicious JavaScript code on a site that allows access to the API (for example, bing[.]com). This JavaScript would, consequently, trigger the installation of the malicious add-on, in complete silence.
The edgeMarketingPagePrivate API was initially intended for marketing purposes, Guardio Labs’ researchers said.
Speaking to the publication, Guardio’s researchers said that they found no evidence of the flaw being abused in the wild, but added that browser makers need to find a delicate balance between user experience and security. Browser customization, they warned, can inadvertently defeat security mechanisms and introduce new attack vectors, they concluded.
