Researcher Finds Way to Bypass SOP Within Microsoft Edge Browser

For years, SOP has made sure that browsing stays safe by isolating different websites. Now, a researcher found a way around the protocol within Microsofts Edge browser.

The Same Origin Policy (SOP) has been an implicit operational condition for browsers since 1995. It stops scripts contained in one web page from accessing data in a second web page unless the two sites have the same origin. An origin is defined as a combination of URI scheme (domain or subdomain), host name and port number.
Now, however,
Netsparker security researcher Ziyahan Albeniz
has found that older versions of Microsofts Edge browser could be fooled into allowing this type of access from one web page to another.
Albeniz discovered that in the case of an HTML file sent via email and then run by Edge, the end result that SOP was supposed to forbid would happen. A local file could be read and exfiltrated from a target machine.

(Source:
Flickr
)
Of course, there is some social engineering involved in all of this. The user needs to download the HTML file in that poisoned email to start things off. HTML is not a usual file format transferred in this way, so the email will call attention to itself when it is encountered.
What actually happens if the email is opened is fairly simple. The HTML file is loaded by the file:// protocol when read from the email. Since it becomes a local file, there is no domain or port value associated with it.
The local file on the target machine will also not have a domain or port. So, in this case the ports on the two items match since both will have no port.
The hostname will also match. There is none in the file:// protocol. Finally, the protocol scheme between the two match. It’s file://.
So, SOP will present no objections to this intermingling.
The researcher felt that the Mail and Calendar app would sound the alarm if it was forced into executing a malicious HTML file. That didnt happen.
As Albeniz put it:

When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing [from the target machine —ed.] to my server, where I could store and read them. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. This is what makes this attack so stealthy!

This approach requires the attacker to know where the file desired is located, but there are routine locations used in many OS configurations.
So, while the approach may not serve well as a vehicle for the wide distribution of malware, a more specific approach designed for a high value target -- especially if it is used after some directory transversal recon malware has been first run on the target machine -- seems possible.
Albeniz writes that this vulnerability has already been fixed by Microsoft in both Edge and Mail and Calendars.
So, mitigation is straightforward. Use the latest versions of the programs, and dont open unknown HTML files in email. But be aware that this sort of attack is possible -- and deadly.
Related posts:
Kronos Returns as Banking Trojan Attacks Ramp Up
Attackers Combining Smoke Loader & PROPagate in New Campaign
Google, Firefox Pull Stylish After Report Shows How Data Is Collected
RIG Exploit Finds New Home in Cryptomining
— Larry Loeb has written for many of the last centurys major dead tree computer magazines, having been, among other things, a consulting editor for BYTE magazine and senior editor for the launch of WebWeek.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Researcher Finds Way to Bypass SOP Within Microsoft Edge Browser