XSS security flaw has already been patched in Google Chrome and Mozilla Firefox
UPDATED DuckDuckGo has fixed a universal cross-site scripting (uXSS) flaw in a popular browser extension for Chrome and Firefox.
The vulnerability was discovered in DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features.
It could be leveraged to achieve uXSS on victims’ devices, revealed researcher Wladimir Palant, meaning that arbitrary code could be executed on any domain.
While it has been patched in Chrome and, since the time of writing, in Mozilla Firefox, no update has been issued for other browsers such as Microsoft Edge.
Palant included more technical details about the attack in a blog post.
Complete control
The security flaw could enable malicious actors to spy on all websites that the user is visiting, leaving sensitive information such as banking details and other data potentially accessible.
It leaves their privacy “completely compromised” when browsing online, said Palant, and can even exploit websites that have countermeasures such as a content security policy.
The vulnerability can only be exploited by somebody controlling http://staticcdn.duckduckgo.com, Palant noted, meaning that an attacker would need to gain access to the server.
Palant wrote: “Note how is inserted into this script without any escaping or sanitiz ..
Support the originator by clicking the read the rest link below.
