Jake Archibald discovered a really nice browser bug (which is fixed by now) by which he was able to steal data from remote sites by loading it in as a (fake) wav file.
The exploit works as follows:
- Make a request to
evil-script, using aContent-Rangeheader to suggest there’s more data to be loaded afterwards. - Have
evil-scriptreturn a valid WAV PCM header block, but also have it return aRedirectresponse header to the cross-origin (!) location you want to read out. - Since a
Content-Rangeheader was used, the browser will make a second request to fetch the rest of the data.- A browser susceptible to this exploit will actually make the request to the remote location defined in the
Redirectheader. - Good browsers will stop here, throwing a CORS error.
- A browser susceptible to this exploit will actually make the request to the remote location defined in the
- Store the returned data in an
<audio>element. - Play back the audio fragment, and meanwhile read out its data using a
ScriptProcessorNode.
Not all browsers were affected by this bug: in Firefox you could only get the length of the returned content, and it was only in Edge that Jake was able to read out the actual contents of the generated wav file. Here’s a video of Edge (warning: as it’s raw data you’ll only hear glitches and stuff … you might want to turn down the volume):
Nice find Jake!
A shame the process of reporting this bug with the Edge team didn’t go that smooth though (details in Jake’s post). I’m confident the Edge team will adjust / already have adjusted a few things internally to prevent this obstacle course from happening again.
Jake Archibald: “I discovered a browser bug” →
Other neat hacks that recently made rounds was this one, using the W3C Ambient Light Sensor API and this one using mix-blend-mode. Always fun to see smart people find a way to abuse a new technology that seems safe at first 🙂