Flash “security bypass” list hidden in Microsoft Edge browser – Naked Security

Until this month, Microsoft’s Windows 10 Edge browser could skip over its own “Are you sure?” warnings about Flash content on 58 websites, thanks to a bypass list kept hidden from users.

Google Project Zero researcher Ivan Fratric said he stumbled on the list last November when he analysed domain hashes inside the edgehtml­plugin­policy.bin file.

Fratric eventually resolved 56 of the 58 hashes to be a bypass list of domains that included Facebook, MSN, Deezer, and Yahoo Japan, which all contain some legacy Flash content.

Having a bypass list built into Edge is risky, says Fratric.

Flash is well-known for vulnerabilities, which is why users are regularly reminded either to run it only when necessary or, better still, not run it at all.

Although the setting had limitations (the content must be hosted on the same domain or larger than 398×298 pixels), Fratric said he was alarmed at the reasoning behind having a list of this sort inside Edge that users know nothing about.

Some of the domains didn’t implement HTTPS security, which meant:

Even in the absence of an XSS vulnerability, this would allow a MITM attacker to bypass the click2play policy.