A significant security vulnerability, classified as Universal Cross-Site Scripting (UXSS), was recently identified in the DuckDuckGo browser designed for Android devices. This flaw, assigned a high-severity score of 8.6 on the CVSS scale, allowed potentially malicious cross-origin iframes to execute arbitrary JavaScript within the main context of a webpage.
Details of the UXSS Vulnerability
The vulnerability was first brought to light in a detailed blog post by security researcher Dhiraj Mishra. The root of the issue lies within the DuckDuckGo Android app’s JavaScript bridge, known as “AutoconsentAndroid.” This bridge is intended to streamline communication between the browser’s native Android code and the web pages it renders.
However, a critical oversight in security allowed this bridge to accept messages from any frame, regardless of the origin. It lacked the necessary checks to verify the source or require authentication tokens, leading to a breach of the Same-Origin Policy (SOP), a fundamental web security principle.
Exploit Mechanism and Impact
The exploit stems from the bridge’s handling of incoming messages. When a message is received, an internal function processes it and executes the JavaScript using the webView.evaluateJavascript(…) method. This behavior allows code execution in the main document rather than the isolated iframe, posing a significant security risk.
This flaw could be exploited by embedding a malicious iframe within a legitimate web page, which then uses the “AutoconsentAndroid” bridge to execute harmful JavaScript in the main document. Such an attack could bypass SOP protections, potentially allowing attackers to steal sensitive data like session cookies or inject malicious content into trusted websites.
Response and Mitigation
The issue was responsibly reported to DuckDuckGo via the HackerOne platform and has been swiftly addressed. The company has since released updates to patch the vulnerability in its Android browser.
Given the serious nature of UXSS vulnerabilities, which can be exploited without user interaction, users and administrators are strongly advised to update their DuckDuckGo applications to the latest version. This action is crucial to safeguard against potential exploitation and ensure secure browsing.
For ongoing updates on cybersecurity threats and best practices, follow our channels on Google News, LinkedIn, and X. Stay informed and secure in the rapidly evolving digital landscape.
