Flash ‘œsecurity bypass” list hidden in Microsoft Edge browser
Google Project Zero researcher Ivan Fratric said he stumbled on the list last November when he analysed domain hashes inside the
Fratric eventually resolved 56 of the 58 hashes to be a bypass list of domains that included Facebook, MSN, Deezer, and Yahoo Japan, which all contain some legacy Flash content.
Having a bypass list built into Edge is risky, says Fratric.
Flash is well-known for vulnerabilities, which is why users are regularly reminded either to run it only when necessary or, better still, not run it at all.
Although the setting had limitations (the content must be hosted on the same domain or larger than 398×298 pixels), Fratric said he was alarmed at the reasoning behind having a list of this sort inside Edge that users know nothing about.
Some of the domains didn’t implement HTTPS security, which meant:
Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.