Wavethrough – Stealing data from remote sites through (fake) wav files

Jake Archibald discovered a really nice browser bug (which is fixed by now) by which he was able to steal data from remote sites by loading it in as a (fake) wav file.

The exploit works as follows:

  1. Make a request to evil-script, using a Content-Range header to suggest there’s more data to be loaded afterwards.
  2. Have evil-script return a valid WAV PCM header block, but also have it return a Redirect response header to the cross-origin (!) location you want to read out.
  3. Since a Content-Range header was used, the browser will make a second request to fetch the rest of the data.
    • A browser susceptible to this exploit will actually make the request to the remote location defined in the Redirect header.
    • Good browsers will stop here, throwing a CORS error.
  4. Store the returned data in an <audio> element.
  5. Play back the audio fragment, and meanwhile read out its data using a ScriptProcessorNode.

Not all browsers were affected by this bug: in Firefox you could only get the length of the returned content, and it was only in Edge that Jake was able to read out the actual contents of the generated wav file. Here’s a video of Edge (warning: as it’s raw data you’ll only hear glitches and stuff … you might want to turn down the volume):

Nice find Jake!

A shame the process of reporting this bug with the Edge team didn’t go that smooth though (details in Jake’s post). I’m confident the Edge team will adjust / already have adjusted a few things internally to prevent this obstacle course from happening again.

Jake Archibald: “I discovered a browser bug” →

Other neat hacks that recently made rounds was this one, using the W3C Ambient Light Sensor API and this one using mix-blend-mode. Always fun to see smart people find a way to abuse a new technology that seems safe at first 🙂

Elsewhere , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.