Microsoft Edge hides a ‘white list’ that allows Facebook to run Flash code without the user knowing

Ivan Fratric, a security researcher at Google Project Zero, found in November last year that Microsoft’s Edge browser had a ‘white list’ of 58 websites which were allowed to run Adobe Flash-based commands without user approval. After informing Microsoft, the company sent an update that corrected this, which removed most of the websites from that list except for two, which belong to Facebook.

The curious, and dangerous, of this list, is that those sites that are in it will be able to run Flash-based code without prior user approval, thus violating the security policies of the Edge itself, which, in theory, does not allow the clicks reproduction policy (click2play) that many sites used to activate functions using Flash and that put the security of users at risk.

Facebook can run Flash despite Edge’s security policies

Ivan Fratric’s discovery presented us with a list of exceptions of 58 domains and subdomains which included, for example, the Microsoft website, the MSN portal, Deezer, Yahoo, the Chinese social network QQ and even the site ‘dgestilistas.es’ , which is a Spanish hairdresser.

After the update sent by Microsoft for Edge, of the 58 domains only two of them were kept: https://www.facebook.com and https://apps.facebook.com. The reasons are unknown, but in addition to this, Fratric discovered new security flaws in this ‘whitelist’:

  • An XSS vulnerability in any of the domains that would allow bypassing the ‘click2play’ policy (executing malicious Flash code in these domains).
  • Known and unpatched XSS vulnerabilities were found in at least some of the whitelisted domains.
  • The whitelist is not limited to ‘https’, even in the absence of XSS vulnerabilities, which would allow an MITM attacker to bypass the ‘click2play’ security policy.

The default Flash whitelist in Edge (https://t.co/JxStUIxByE) really surprised me. So many sites for which I’m completely baffled as to why they’re there. Like a site of a hairdresser in Spain (https://t.co/50xdJvzksA) ?! I wonder how the list was formed. And if MSRC knew about it.

– Ivan Fratric (@ifsecure) February 19, 2019

As I mentioned, the strangest thing is that of the 58 domains it has been decided to keep only two and belonging to Facebook. With this, the Zuckerberg social network can run any Flash widget that has dimensions of more than 398 x 298 pixels and is hosted on the domains https://www.facebook.com and https://apps.facebook.com .

On the other hand, for any other Flash widget, Edge keeps its ‘click2play’ security policy active, which does not allow any site to run Flash content without the user’s permission, who must accept it through a warning in the address bar.

We have contacted Microsoft and Facebook to find out more details about this and will update this entry in case of news.

Upgrade: From Microsoft they send us the following statement from John Hazen, Microsoft Edge Product Development Manager:

“We’re getting to the point where Flash is no longer part of the default Microsoft Edge experience anywhere, and the recent changes in February were the next step in the transition plan.”

In addition, Microsoft clarifies that there are still some exceptions with websites that use Flash because they require it for optimal operation, but “the next step will be to disable Flash by default on all websites”.