Updated: 16 March 2021 at 16:33 UTC
XSS security flaw has already been patched in Google Chrome and Mozilla Firefox
UPDATED DuckDuckGo has fixed a universal cross-site scripting (uXSS) flaw in a popular browser extension for Chrome and Firefox.
The vulnerability was discovered in DuckDuckGo Privacy Essentials, which blocks hidden trackers and offers private browsing features.
It could be leveraged to achieve uXSS on victims’ devices, revealed researcher Wladimir Palant, meaning that arbitrary code could be executed on any domain.
While it has been patched in Chrome and, since the time of writing, in Mozilla Firefox, no update has been issued for other browsers such as Microsoft Edge.
Palant included more technical details about the attack in a blog post.
The security flaw could enable malicious actors to spy on all websites that the user is visiting, leaving sensitive information such as banking details and other data potentially accessible.
It leaves their privacy “completely compromised” when browsing online, said Palant, and can even exploit websites that have countermeasures such as a content security policy.
The vulnerability can only be exploited by somebody controlling http://staticcdn.duckduckgo.com, Palant noted, meaning that an attacker would need to gain access to the server.
Palant wrote: “Note how is inserted into this script without any escaping or sanitization. Is that data trusted? Sort of.
“The data used to decide about spoofing the user agent is downloaded from staticcdn.duckduckgo.com.
“So the good news [is]: the websites you visit cannot mess with it. The bad news: this data can be manipulated by DuckDuckGo, by Microsoft (hosting provider), or by anybody else who gains access to that server (hackers or government agency).”
Palant told The Daily Swig: “The attackers can spy on anything the users do in their browser, they can manipulate displayed information, take over accounts, impersonate the user.
“As a trivial consequence, online banking or shopping sessions can no longer be considered secure – the attackers can reroute transfers or shipments.
“As a more advanced consequence [if the attacker was a government agency], your communication in the browser is no longer private, even when using a secure mail provider like ProtonMail or communicating with journalists via SecureDrop.”
The vulnerability has so far been patched in version 2021.2.3 released for Google Chrome.
A Mozilla spokesperson told The Daily Swig: “A fixed version of the extension is now available. Firefox users will receive it either through manual or automatic extension update check, depending on their settings for extension updates.”
The Daily Swig has contacted Microsoft and will update this article accordingly.
This article has been updated to include the information that a patch has since been issued for Firefox.