Wavethrough Bug Forces Some Browsers to Leak User Data from Other Sites
Google specialist Jake Archibald discovered a critical vulnerability that poses a threat to several modern browsers. The issue, named Wavethrough and identified as CVE-2018-8235, allows malicious websites to steal information from other resources where the user is logged in with the same browser. To carry out the attack, it is enough to embed a malicious video or audio file on a web page using the <video> and <audio> tags.
The root of the Wavethrough problem lies in the use of Cross-origin resource sharing (CORS) technology. CORS allows a web page to access resources from another domain.
Archibald explains that using malicious service workers enables loading multimedia content, marked with <video> and <audio> tags, from a remote source. The use of the range parameter allows only a specific part of the file to be loaded. This was originally designed to make it easier to load large media files or to resume interrupted downloads.
Under normal circumstances, CORS prevents this kind of behavior. Browsers have long forbidden sites from making cross-origin requests to other domains without explicit permission. However, these restrictions do not apply to media content hosted on remote sources. This means it is possible to embed audio or video files from another domain on a site. As a result, under certain conditions, attackers can use no-cors requests, which many sites (including Facebook, Gmail, and BBC) will accept without issue.
“This means that if you open my proof-of-concept site in the Edge browser, I could read your emails or Facebook feed without your knowledge,” the expert explains. “The bug appeared when browsers implemented range requests for media elements, which were not covered by the standard. These range requests turned out to be very useful, so browsers copied each other’s behavior, but no one integrated it into the standard.”
The attack works as follows: the attacker places media content on their site, which, when played, loads only partially from their server. Then, the site asks the browser to fetch the remaining part of the file from another source, forcing it to make a cross-origin request. The request, which should be blocked, is processed, and the attacker gains the ability to steal user data.
Not all browsers are vulnerable to the Wavethrough problem—only Mozilla Firefox and Microsoft Edge are affected. Chrome and Safari are safe, and Archibald believes that Chrome fixed the Wavethrough issue back in 2015 by chance, while addressing another vulnerability related to the range parameter and multimedia content.
In his blog, the specialist detailed the challenges he faced while trying to notify browser developers about the bug. At the time Wavethrough was discovered, Firefox 59 was still in beta, but the vulnerability never made it into the stable release of Firefox 59, as Mozilla quickly fixed it. However, things went quite differently with Microsoft.
Archibald reported the issue to developers on March 1, 2018, via the Edge bug tracker and also sent a message about the vulnerability to [email protected]. That same day, he received a reply stating that the security team did not have access to the Edge bug tracker and asked him to send the details by email. The researcher forwarded all the necessary information, but was then told that an investigation could not proceed without source code. Although simply using the “view source” function in the browser would have sufficed, Archibald did not argue and sent Microsoft the required source files.
After that, Microsoft employees went silent for 20 days, and the researcher had to contact acquaintances on the Edge development team to confirm that the issue was recognized as serious and would be addressed.
Since Archibald was entitled to a monetary reward under the bug bounty program, he asked if the money could be donated directly to charity. Two weeks later, he was told this was not possible, even though the company’s official documentation stated otherwise.
Time passed, but no patches for Edge were released. On April 12, 2018, Archibald publicly complained on Twitter that working with the Edge team was very difficult. This criticism caught the attention of Microsoft engineers, who admitted that the company’s response was far from optimal.
Ultimately, a patch for Edge was released only last week, on June 12, 2018, as part of the June “Patch Tuesday” updates.
A proof-of-concept attack video can be seen below. The researcher also created a special website where users of vulnerable versions of Mozilla Firefox and Microsoft Edge can see a demonstration of the bug in action.