Microsoft Edge allows Facebook to run Flash content without user approval

Despite security policies requiring user permission for websites to run Flash content, Microsoft Edge has a hidden whitelist that allows Facebook to run Flash code without consent.

As first reported by ZDNet, the whitelist was discovered by Google Project Zero security researcher Ivan Fratic, who also found security flaws involving the whitelist. The flaws include:

  • An XSS vulnerability on any of the domains would allow bypassing click2play policy [and running malicious Flash code on these domains].
  • There are already publicly known and unpatched instances of XSS vulnerabilities on at least some of the whitelisted domains.
  • The whitelist is not limited to https. Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.

Microsoft Edge currently relies on a click-to-play policy for Flash, which explicitly requires users permission to run any Flash-based content. The secret whitelist allows Facebook to bypass this policy for Flash widgets sized at over 398x298 pixels and are hosted on https://www.facebook.com and https://apps.facebook.com. As ZDNet speculates, this is likely so that Edge will continue to support Facebook's legacy collection of Flash games. However, when reached for comment, Facebook told ZDNet that it never asked Microsoft to be added to a whitelist and it has since requested Microsoft to be excluded from the list.

While the two Facebook domains are the only ones currently included on the whitelist, it was much bigger prior to February. When it was originally discovered, the list contained a total of 58 URLs, including entries for Microsoft's own site, along with Deezer, Yahoo, and more. After the list's discovery, Fratric filed a bug report with Microsoft in November. The whitelist was pared down to the two Facebook URLs with this month's "Patch Tuesday" updates.

While Microsoft didn't comment on the list directly, the company told ZDNet in a statement: "We are nearing the point where Flash is no longer part of the default experience in Microsoft Edge on any site and the recent changes in February were the next step of the transition plan."

Due to security concerns, all major browsers have implemented "click-to-play" policies regarding Flash content. Adobe, the company behind Flash, has outlined plans to retire it by 2020. Microsoft, meanwhile, has announced plans to switch Edge from its own EdgeHTML engine to Chromium.