Jake Archibald, Google Chrome’s advocate developer, has discovered a fairly serious vulnerability in modern web browsing technology that could permit sites to steal login details as well as other sensitive information. Exploits could theoretically steal information related to other sites that you have logged into but aren’t currently attempting to access.
Remote attackers could hypothetically even use this vulnerability to read the content of email you access from a web interface or private posts sent to you on a social networking sites.
Cross-origin request technology provides the core that the vulnerability could be built on in theory. Modern browsers don’t permit sites to make cross-origin requests because modern engineers believe that there are few legitimate reasons for one site to look at information served from another.
Web browsers aren’t so particular when it comes to fetching other types of media files hosted on outside origins since this kind of request is necessarily to load streaming audio and video.
Site code is generally allowed to load audio and video files from other domain without prompting a browser to display an unauthorized request error. Browsers may also support some types of range header and partial content load responses, which are supposed to deliver small pieces of a larger piece of streaming media.
Microsoft Edge, Mozilla Firefox and other modern browsers could be tricked into loading irregular requests using this method according to Archibald’s research. These browsers have been shown to permit test copies of opaque data from multiple sources through to an end-user.
Currently there aren’t any known instances of crackers making use of this attack vector. Wavethrough, as Archibald calls it, has already been corrected in Chrome and Safari without really purposefully trying to do so. He stated that he wished this kind of security feature would have been written in as a browsing standard so all modern browsers would be immune to the vulnerability.
While there hasn’t been any news about Microsoft or Mozilla responding to the bug, it’s not hard to believe that patches will be released with the next major update of both of these browsers. Engineers may also someday push for this design to be standard as Archibald wished.