A critical browser vulnerability dubbed Wavethrough has been discovered by Jake Archibald, developer advocate for Google Chrome. By altering a certain parameter when loading multimedia content an attacker could request data from arbitrary active domains, stealing important information in the process. A proof-of-concept has been released, showing the vulnerability in action.
Multimedia flaws in modern browsers
Jake Archibald, developer advocate for Google Chrome, recently discovered a serious vulnerability in modern web browsers. Service workers are a tool often used to load audio or video content from remote pages. They are also where this vulnerability resides: By specifying a certain range parameter, normally used to load a specific part of a file, data from other domains can be read.
Generally, modern browsers do not allow these types of requests, called cross-origin requests, unless explicitly allowed by the domain. This means data can only be requested from the same origin of the initial load, preventing unauthorized requests. But as Archibald found service workers could be used to load content from an arbitrary domain.
Due to clashing standards modern browsers act differently when retrieving media files from other origins. Simply put, the range parameter allows for media elements to join several types of responses from different origins together – Creating a stream of data from whichever source the attacker sees fit.
Proof of concept and mitigation
Archibald released a proof of concept video in his blog post explaining the attack and how to perform it. A proof-of-concept page was also created in which he managed to retreive Facebook-content from a malicious domain. The vulnerability was dubbed Wavethrough as it involved exploiting WAV audio within the browser.
“I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio,”, Archibald stated.
The vulnerability has been patched in both Firefox and Edge versions vulnerable to the issue. Chrome is believed to have accidentally fixed the issue in a previous patch. Therefore, all users are urged to update their browsers.