Home News DuckDuckGo Quacks Again About uXSS Vulnerability in Multiple Browsers

DuckDuckGo Quacks Again About uXSS Vulnerability in Multiple Browsers

DuckDuckGo’s Universal Cross-site Scripting (uXSS) vulnerability, which has now been fixed in Chrome and Firefox extensions, could have allowed arbitrary code execution on any domain.

Positioned as a private search engine that doesn’t track users, DuckDuckGo claims that it does not store users’ IP addresses or search details. Many users use DuckDuckGo for its privacy features. But recent vulnerability disclosures have made users question their data privacy.

Security experts recently uncovered a Universal Cross-site Scripting (uXSS) vulnerability in multiple browser extensions, including Chrome, Microsoft Edge, and Firefox. The vulnerability exists in DuckDuckGo’s Privacy Essentials feature, which blocks hidden trackers and offers private browsing features to users.

What is Cross-site Scripting (XSS)

Cross-site scripting (XSS) is a type of flaw found in web applications. It allows attackers to inject client-side scripts into web pages viewed by other users and bypass access controls.

Cyber Snooping

Discovered by security researcher Wladimir Palant, the uXSS vulnerability can be exploited by an attacker to execute arbitrary code on any domain. The flaw could enable threat actors to spy on users’ online activities, leaving their sensitive information at risk. However, Palant stated that an attacker must gain access to the DuckDuckGo server to exploit the vulnerability.

“The vulnerability gave a DuckDuckGo server way more privileges than intended: a Cross-site Scripting (XSS) vulnerability in the extension allowed this server to execute arbitrary JavaScript code on any domain. The attackers can spy on anything the users do in their browser, they can manipulate displayed information, take over accounts, impersonate the user. As a trivial consequence, online banking or shopping sessions can no longer be considered secure – the attackers can reroute transfers or shipments,” Palant said.

Patch on the Way!

While the vulnerability has been patched in Chrome and Mozilla Firefox, a security update for other browsers like Microsoft Edge is expected to be released shortly. “These vulnerabilities are very typical; I’ve seen similar mistakes in other extensions many times. This isn’t merely extension developers being clueless. The extension platform introduced by Google Chrome simply doesn’t provide secure and convenient alternatives. So, most extension developers are bound to get it wrong on the first try,” Palant added.

DuckDuckGo Slams Google for Spying

Google recently updated its iOS applications with the App Store privacy labels to give users clarity about what type of data the app collects from users. DuckDuckGo leveraged this situation promptly to show how much data both Google and Google Chrome collect from their users comparing what they collect, which is null. In a Twitter post, DuckDuckGo slammed the search engine giant for spying on users’ search details by using App Store privacy labels as proof.