Vansh Devgan of Uttar Pradesh and Shivam Kumar Singh of Jharkhand alerted Microsoft to a “vulnerable code” using uXSS (Universal Cross Site Scripting) in Microsoft’s Translator, which comes pre-installed in the Edge browser.
After two cyber security experts, Vansh Devgan from Uttar Pradesh and Shivam Kumar Singh from Jharkhand, alerted Microsoft, the company recently patched the critical security holes in its Edge internet browser.
The researchers discovered a “vulnerable code” using uXSS (Universal Cross Site Scripting) in Microsoft’s Translator, which comes pre-installed in the Edge browser, and submitted it to the Edge on Chromium Bounty Program. They received the maximum reward of $20,000 (approximately Rs 15 lakh) from Microsoft.
Vansh has completed his third year of B.Tech Computer Science from Lovely Professional University and is a cyber security enthusiast, while Shivam operates his own firm and works part-time as a bug bounty hunter.
The CVE-2021-34506 security flaw has been patched in the latest release of Microsoft Edge Stable Channel (Version 91.0.864.59).
The security vulnerability had a significant impact since anyone who used the Microsoft Edge browser to visit a website and clicked the language translate button to read the content in their selected language could inject arbitrary code to do whatever they wanted.
To stay secure, you should update your Microsoft Edge browser to the most recent version.
Vansh Devgan who is running CyberXplore Private Limited along with this friend Shivam Kumar Singh, explained “We created an profile on Facebook with name in different language and XSS payload and sent an friend request to victim (he is using Microsoft edge) as soon as he checks are profile he got hacked (SCC popup because of auto translation),”
The sole requirements for running arbitrary code was to use Microsoft Edge and have Auto Translate enabled. The CyberXplore team explained the payload in a blog post, saying, “We have written a review on Google for a company HackENews with different language + XSS payload any person browsing that review link got hacked (XSS popup because of auto translation).”
Using this vulnerabilities, the two experts claimed they were able to bypass YouTube and the Windows Store Application.
They explained “Unlike the common XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in the browser or browser extensions in order to generate an XSS condition, and execute malicious code. When such vulnerabilities are found and exploited, the behavior of the browser is affected and its security features may be bypassed or disabled,”