March 27, 2024 at 09:09AM
A security flaw in Microsoft Edge browser, CVE-2024-21388, allowed attackers to covertly install browser extensions with broad permissions via a private API, impacting version 121.0.2277.83. The bug enabled installation of malicious extensions without user consent, posing a privilege escalation threat, emphasizing the need for balancing user convenience and security.
Key Takeaways from the Newsroom Meeting discussing Vulnerability/API Security:
1. Security flaw in Microsoft Edge web browser: A patched security flaw (CVE-2024-21388) in Microsoft Edge browser allowed attackers to exploit a private API to covertly install additional browser extensions with broad permissions without user’s knowledge.
2. Abused API: An attacker could exploit the API for marketing purposes to install extensions with broad permissions, potentially leading to a browser sandbox escape.
3. Privilege escalation flaw: Successful exploitation requires the attacker to take additional actions to prepare the target environment.
4. Exploitation method: Bad actors could run JavaScript on specific websites to install extensions from the Edge Add-ons store without user consent or interaction.
5. API vulnerability: The bug identified by Guardio is a case of insufficient validation, enabling an attacker to provide any extension identifier from the storefront and install it stealthily without user consent.
6. Hypothetical attack scenario: Attackers could publish a seemingly harmless extension, inject malicious JavaScript code, and automatically install the targeted extension without the victim’s permission when accessed from specific websites.
7. Implications: This bug emphasizes the need to balance user convenience and security and highlights how browser customizations can inadvertently introduce new attack vectors.
8. No evidence of exploitation: While there is no evidence of the bug being exploited in the wild, it could be exploited to facilitate the installation of additional extensions, potentially for monetary gain.
Please let me know if you need any additional details or further analysis.