Jake Archibald, a developer advocate for Google Chrome accidently discovered a browser bug that steals data from other websites. He discovered this bug a few months back and disclosed the bug today by writting a blog post on it.
He named this bug as WaveThrough as it’s related to the audio files and frequency stuff and made the following logo.
Archibald said that
“Bugs started when browsers implemented range requests for media elements, which wasn’t covered by the standard. These range requests were genuinely useful, so all browsers did it by copying each others behaviour, but no one integrated it into the standard.”
This loophole can be exploited by a malicious website using media file on webpage, which if played, only serves partial content from its own server and asks the browser to fetch rest of the file from a different origin, forcing the browser to make a cross-origin request.The second request, which actually is a cross-origin request and should be restricted, will be successful because mixing visible and opaque data are allowed for a media file, allowing one website to steal content from the other.
Archibald created a website and tested this loophole and it worked and allowed to steal data. He shortly explains the process in his video.
Chrome and Safari has already a policy of blocking the cross origin requests so they are still safe to use. Other browsers like FireFox and Edge were found vulnerable however the patch was released by the browser’s companies as Archibald posted about the issue so update your browsers to remain secure and browse freely. I highly recommend to update your browsers as soon as updates are available and don’t use untrusted and non popular browsers you will end up screwing yourself.