The Microsoft Edge (Internal Translator Which Comes Pre-Installed) has an vulnerable code to which actually takes any html tags having an “>img tag without sanitising the input or converting the payload into text while translating so actually that internal translator was taking “>img src=x onerror=alert(1)> payload and executing it as an javascript as there were no proper validation check which does sanitisation or convert complete DOM into text and then process it for translation .
Below is the code snippet which is affected it seems that function startPageTranslation is the function which was affected .
Now Comes The Special Part Of This Blog Exploitation Or Steps To Reproduce & Description Vulnerability
Vulnerability Name — uXSS (Universal Cross Site Scripting)
Description Of Vulnerability —
Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled.
Steps To Reproduce -
1- Download POC.html file from the above code snippet or copy paste code in file > name it as POC.html and save it
2- Start python server in same folder where your POC file is located on localhost using command given below
python3 -m http.server 80
3- Open Microsoft Edge ( Version 91.0.864.48 (Official build) (arm64)) & Visit http://localhost/POC.html
Most probably when you read this article it has been already updated to secure version so that is reason why you can’t reproduce
4-Translator will show you message that this page is another language would you like to translate ? click on translate button
5-Boom You got alert(1)
Please Note- The reason we spin up the python server even for html file is simple sometimes translator don’t show up for translating text on just opening of html page maybe because the document.location is about:html when we just open html file.
Two Conditions For Remote Exploit →
1-Person Should Be Using Microsoft Edge
2-Person Should Be Having AutoTranslate On
Impact -
We Can Summarise The Impact In Four Statements Given Below
1- Any Page Reflecting “><img src=x onerror=alert(1)> (Or Any XSS Payload) Is Vulnerable We Just Need Reflection
2- Any Person From Another Country (Who Don’t Know English) Reading About XSS On English Site Is Vulnerable → As He Will Translate (XSS Will Popup)
3- All Users Using Edge Are Vulnerable To XSS Which Can Trigger On Any Website
4- Any Person Who Will Receive Email Or Message Having Content As Different Language + XSS Payload (Is Vulnerable)
There Are So Many Possibility Which Can Happen In This Attack Vector
This Vulnerability Known As Universal XSS
Now How We Could Have Hacked Google & Facebook
Facebook → we created an profile with name in different language and xss payload and sent an friend request to victim (he is using edge) as soon as he checks are profile he got hacked (xss popup because of auto translation)
Google → we have written review on google for an company HackENews with different language + xss payload any person browsing that review link got hacked (xss popup because of auto translation)
Youtube → we have created an youtube video entered an comment with xss payload+different language anyone viewing that video in edge got hacked (xss popup because of auto translation)
YOUTUBE AND GOOGLE HAS SAME POC VIDEO
Windows Store Application → we found that web based application (example instagram) on windows store is also vulnerable with this attack as windows stores ships application with same Microsoft Edge Translator Which Was Responsible For Triggering uXSS (Universal XSS) Attack .