Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs.
The whitelist allows Facebook Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.
Prior to February 2019, the secret Flash whitelist contained 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ, just to name the biggest names on the list.
Microsoft trimmed down the list to two Facebook domains earlier this month after a Google security researcher discovered several security flaws in Edge's secret Flash whitelist mechanism.
Ivan Fratric, the Google Project Zero security researcher who found the this whitelist, described the security flaws he found as follows:
- An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
- There are already *publicly known* and *unpatched* instances of XSS vulnerabilities on at least some of the whitelisted domains.
- The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.
Italic texts are additions made by ZDNet, for clarity.
Fratric filed a bug report with Microsoft last November, and Microsoft delivered a fix with this month's Patch Tuesday fixes by restricting the list from 58 URLs to only two domains and enforcing HTTPS for all domains included on the list. The bug report also contains the original version of the whitelist, with all the 58 domains.
In its current version, Edge will allow Facebook to execute any Flash widget that has a dimension of over 398x298 pixels and is hosted on the https://www.facebook.com and https://apps.facebook.com domains. Most likely, Facebook is on Microsoft's Edge whitelist to support the social network's large collection of legacy Flash games.
For any other Flash widget on any other website, Edge will respect its default click-to-play policy, meaning websites are not allowed to execute Flash without users' permission, which usually means enabling Flash execution through an address bar icon.
Commenting on Twitter, the Google security researcher showed his surprise on how and who was managing the whitelist, and how it came to be.
"So many sites for which I'm completely baffled as to why they're there," Fratric said. "Like a site of a hairdresser in Spain((link: http://www.dgestilistas.es) dgestilistas.es)?! I wonder how the list was formed. And if [the Microsoft Security Response Center] knew about it."
When we reached out for comment, a Facebook spokesperson said they didn't ask Microsoft to be on the whitelist, and that they asked Microsoft to remove Facebook domains from the list.
Microsoft, on the other hand, didn't directly answer our questions regarding the whitelist, providing a statement on Flash's impending removal from Edge.
"We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan," the company told us.
Adobe and major browser makers are set to sunset Flash by the end of 2020, while Microsoft has announced plans to switch Edge from its proprietary EdgeHTML browser engine to Google's Chromium.
Updated with comments from Facebook and Microsoft.