Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.
For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.
That means, if you visit a website on your browser, it can only request data from the same origin the site was loaded from, preventing it from making any unauthorized request on your behalf in an attempt to steal your data from other sites.
However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.
Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.
In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.
However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.
blog post published today, Archibald detailed this vulnerability, which he dubbed Wavethrough, explaining how an attacker can leverage this feature to bypass protections implemented by browsers that prevent cross-origin requests.
"Bugs started when browsers implemented range requests for media elements, which wasn't covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard," Archibald explained.
According to Archibald, this loophole can be exploited by a malicious website using an embedded media file on its webpage, which if played, only serves partial content from its own server and asks the browser to fetch rest of the file from a different origin, forcing the browser to make a cross-origin request.
The second request, which actually is a cross-origin request and should be restricted, will be successful because mixing visible and opaque data are allowed for a media file, allowing one website to steal content from the other.
"I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio," Archibald said.Archibald has also published a video, and a proof-of-concept exploit demonstrating how a malicious website can fetch your private content from websites like Gmail and Facebook, whose response will be same for the malicious site as your browser loads them for you.
Since Chrome and Safari already have a policy in place to reject such cross-origin requests as soon as they see any redirection after the underlying content appears to have changed between requests, their users are already protected.
"This is why standards are important. I believe Chrome had a similar security issue long ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against," Archibald said.FireFox and Edge browsers that were found vulnerable to this issue have also patched the vulnerability in their latest versions after Archibald responsibly reported it to their security teams.
Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers.