Discovered by Jake Archibald, developer advocate for Google Chrome, the vulnerability resides in the way browsers handle cross-origin requests to video and audio files, which if exploited, could allow remote attackers to even read the content of your Gmail or private Facebook messages.

For security reasons, modern web browsers don't allow websites to make cross-origin requests to a different domain unless any domain explicitly allows it.

However, web browsers do not respond in the same way while fetching media files hosted on other origins, allowing a website you visit to load audio/video files from different domains without any restrictions.

Moreover, browsers also support range header and partial content responses, allowing websites to serve partial content of a large media file, which is useful while playing a large media or downloading files with pause and resume ability.

In other words, media elements have an ability to join pieces of multiple responses together and treat it as a single resource.

However, Archibald found that Mozilla FireFox and Microsoft Edge allowed media elements to mix visible and opaque data or opaque data from multiple sources together, leaving a sophisticated attack vector open for attackers.


"Bugs started when browsers implemented range requests for media elements, which wasn't covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard," Archibald explained.

"I created a site that does the above. I used a PCM WAV header because everything after the header is valid data, and whatever Facebook returned would be treated as uncompressed audio," Archibald said.

"This is why standards are important. I believe Chrome had a similar security issue long ago, but instead of just fixing it in Chrome, the fix should have been written into a standard, and tests should have been written for other browsers to check against," Archibald said.

Therefore, FireFox and Edge browser users are highly recommended to make sure that they are running the latest version of these browsers.

Leave a Reply

Your email address will not be published. Required fields are marked *