Skip to main content

Microsoft Edge lets Facebook run Flash content without consent

Microsoft Edge logo on Start menu
Microsoft Edge logo on Start menu (Image credit: Windows Central)

Despite security policies requiring user permission for websites to run Flash content, Microsoft Edge has a hidden whitelist that allows Facebook to run Flash code without consent.

As first reported by ZDNet, the whitelist was discovered by Google Project Zero security researcher Ivan Fratic, who also found security flaws involving the whitelist. The flaws include:

  • An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
  • There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains.
  • The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.

Microsoft Edge currently relies on a click-to-play policy for Flash, which explicitly requires users permission to run any Flash-based content. The secret whitelist allows Facebook to bypass this policy for Flash widgets sized at over 398x298 pixels and are hosted on https://www.facebook.com and https://apps.facebook.com. As ZDNet speculates, this is likely so that Edge will continue to support Facebook's legacy collection of Flash games. However, when reached for comment, Facebook told ZDNet that it never asked Microsoft to be added to a whitelist and it has since requested Microsoft to be excluded from the list.

While the two Facebook domains are the only ones currently included on the whitelist, it was much bigger prior to February. When it was originally discovered, the list contained a total of 58 URLs, including entries for Microsoft's own site, along with Deezer, Yahoo, and more. After the list's discovery, Fratric filed a bug report with Microsoft in November. The whitelist was pared down to the two Facebook URLs with this month's "Patch Tuesday" updates.

While Microsoft didn't comment on the list directly, the company told ZDNet in a statement: "We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan."

Due to security concerns, all major browsers have implemented "click-to-play" policies regarding Flash content. Adobe, the company behind Flash, has outlined plans to retire it by 2020. Microsoft, meanwhile, has announced plans to switch Edge from its own EdgeHTML engine to Chromium.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

8 Comments
  • This goes really well with Edge not allowing users to permanently enable Flash for other sites due to "Security concerns".
  • Scary. What else is hiding in Windows 10?
  • Wait wait wait, Flash is still a thing?
  • UFC.tv uses Flash.
  • Surprisingly Netgear Arlo uses Flash to control their cameras on their website... I figured they would have already dropped that in favor of HTML5. NOPE...
  • People still use Facebook?
  • How is it that one of the biggest sites on the internet still uses flash? I had assumed it would be all the mom & pop websites that were the stragglers. I've never used facebook, but I know there use to be games. So maybe that is why it requires flash?
  • People use edge???