This flaw allowed untrusted, cross-origin iframes to execute arbitrary JavaScript in the top-level origin, tracked with a high-severity CVSS score of 8.6.
The vulnerability was originally detailed in a Medium post by security researcher Dhiraj Mishra.
The vulnerability stems from the “AutoconsentAndroid” JavaScript bridge, a native component injected into web pages
This bridge is designed to facilitate seamless communication between the browser’s native Android code and the web page displayed.
However, it failed to implement proper security checks, leading to a severe breach of the Same-Origin Policy (SOP).
The root cause of the exploit lies in how the AutoconsentAndroid bridge handles incoming messages. The bridge accepts messages from any frame, including those loaded from different origins (cross-origin iframes).
It does this without validating the caller’s origin or requiring any secret token for authentication.
When the bridge receives a message, an internal evalhandler function processes it and triggers the webView.evaluateJavascript(…) method.
In the context of Android WebViews, this method executes the provided JavaScript code directly within the top-level document, rather than the isolated iframe where the message originated.
Because of this specific behavior, a malicious iframe embedded within a legitimate webpage could use the AutoconsentAndroid bridge as a proxy.
By sending a crafted message containing malicious JavaScript, the iframe could force the top-level page to execute it.
This completely bypasses the Same-Origin Policy, a fundamental security mechanism that prevents scripts on one webpage from accessing sensitive data on another.
According to a researcher from Dhiraj Mishra, the issue was reported to the vendor via HackerOne and has since been fully patched by DuckDuckGo.
UXSS is considered a critical browser-class vulnerability because it can be exploited without user interaction.
By simply tricking a user into visiting a website that contains a hidden malicious iframe, an attacker could execute arbitrary code across entirely different origins.
This architectural flaw could allow threat actors to steal sensitive information such as session cookies and authentication tokens.
They could also invisibly inject malicious content into any trusted website the user visits through the vulnerable browser. The vulnerability was easily reachable under the browser’s default settings.
Following the responsible disclosure through HackerOne, DuckDuckGo promptly addressed the issue, and the vulnerability has been patched in recent releases of the Android browser.
Users and enterprise administrators are advised to ensure their DuckDuckGo application is updated to the latest available version to prevent exploitation.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post DuckDuckGo Browser UXSS Flaw in Auto Consent JS Bridge Enables Cross-Origin Code Execution appeared first on Cyber Security News.
Whether you love them, hate them, or just get enraged waiting in the queue to…
OpenAI has officially introduced Codex Security, an advanced application security agent designed to automate vulnerability…
When Elon Musk burst onto the scene in his little Tesla Roadster, it seemed a…
Socket’s Threat Research Team has discovered a malicious Google Chrome extension named “lmΤoken Chromophore” that…
InPixio Photo Maximizer Pro Free Download Latest Version for Windows. It is full offline installer…
InPixio Photo Maximizer Pro Free Download Latest Version for Windows. It is full offline installer…
This website uses cookies.