Microsoft Edge Lets Facebook Run Flash Code Behind Users' Backs

An anonymous reader writes: Microsoft's Edge browser contains a secret whitelist that lets Facebook run Adobe Flash code behind users' backs. The whitelist allows Facebook's Flash content to bypass Edge security features such as the click-to-play policy that normally prevents websites from running Flash code without user approval beforehand.

The whitelist isn't new. It existed in Edge before, and prior to February 2018, it included 58 entries, including domains and subdomains for Microsoft's main site, the MSN portal, music streaming service Deezer, Yahoo, and Chinese social network QQ. The list was narrowed down to only two Facebook domains (facebook.com and apps.facebook.com) after a Google security researcher found that the whitelist mechanism had some security issues. The bug report also contains the original version of the whitelist, with all the 58 domains.

Microsoft security

[QuietLagoon]

An oxymoron if I ever saw one.

Better joke:

[Anonymous Coward]

How many Edge users were upset to learn about the secret whitelist that allows Facebook to run Flash?

Both!

Re:

[Darinbob]

But I came here for an argument!

Re:

[ThomasD3]

He probably gave up on the internet :) The funny thing is that after MS tortured everyone with IE, even if Edge was amazing, most of us wouldn't even give it a chance.

Is this like Net Neutrality.

[jellomizer]

Except for a fast lane, big companies are bypassing necessary security blocks to "trusted" (aka paying) sites.
These free passes are really an issue on the open web. As it means Facebook can have features enabled that other sites may not (at least without a warning).

As doing web development, when I see something interesting, I will dig into the code to figure it out. Like how Google gave the search suggestions while typing, and Google Maps a while back, that is where I learned Ajax. But if all the major browser makers, just made a <GoogleSearchAhead> tag If I were to try to make something based on the technology, it would be blocked to me.

Re:

[Anonymous Coward]

Except for a fast lane, big companies are bypassing necessary security blocks to "trusted" (aka paying) sites.
These free passes are really an issue on the open web. As it means Facebook can have features enabled that other sites may not (at least without a warning).

You can do everything you need to do and live a very nice life without Facebook or Edge.

Don't use Edge and Facebook blocked in hosts file (and at the router, just to be sure). Problem solved.

Re:

[viperidaenz]

You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.
Browsers are moving towards dns over http, which bypasses your hosts file.

Good luck with your blocking.

Re:

[Archangel Michael]

Add in Pi-Hole to the mix, and you'll be even better off.

Re:

[Archangel Michael]

Hey Wiretap, what is a good recipe for Chocolate Cake?

Re:

[msauve]

Perhaps, but any decent firewall can block based on much more than IP addresses. Create your own cert, and run it as an SSL proxy, so it can inspect your own https traffic.

Re:

[viperidaenz]

Sounds like a good way to compromise security and performance in one shot.

I suppose you could do some kind of dynamic IP blocking, by using the router as a DNS proxy, and blocking what ever IP addresses are resolved for specific host names. That doesn't work with dns-over-http but it's better than maintaining a huge list of ever changing IP addresses.

Re:

[msauve]

"Sounds like a good way to compromise security and performance in one shot."

Sounds like it to you, but then you obviously don't know much about network security. It's a very common enterprise solution, where any security or performance issues are much more pronounced than in a home environment.

Re:

[viperidaenz]

The enterprise solutions aren't perfect.
Not only does it slow things down, it increases latency too. These are compromises enterprises make to monitor traffic.
You end up with a situation where your browser never sees the certificate from the website in question. You can't inspect it yourself.
You have another certificate store to keep up to date.
It completely breaks public key pinning and fires off reports for public key pin reporting.
You don't have a choice to ignore certificate errors.

The one I'm behind ri

Re:Is this like Net Neutrality.

[fahrbot-bot]

You can only block IP addresses on your router, of which I'm sure Facebook use hundreds as part of their CDN.

Kashmir Hill at Gizmodo did a series where she spent a week each blocking Amazon, Facebook, Google, Microsoft, and Apple from her life (devices and internet sites), then a week blocking them all. (link to series [gizmodo.com]) She had a friend setup a VPN for her devices configured to block access to the provider(s) and she noted in the articles how many IPs each controlled: Amazon: 23 million, Apple: 6 million, Facebook: 122,880, Google: 8 million, Microsoft: 21 million -- there's a link in each article to the data. She noted that blocking / not using Amazon was virtually impossible.

Browsers are moving towards dns over http, which bypasses your hosts file.

Don't know about Chrome (or other browsers), but this can be controlled and/or disabled in Firefox by setting "network.trr.mode" to 0. From my Firefox / Thunderbird "user.js" file:

// https://blog.nightly.mozilla.o... [mozilla.org]
// https://wiki.mozilla.org/Trust... [mozilla.org]
// 0: Off by default, 1: Firefox chooses faster, 2: TRR default w/DNS fallback,
// 3: TRR only mode, 4: Use DNS and shadow TRR for timings, 5: Disabled.

user_pref("network.trr.mode", 0);

Re:

[_merlin]

This is something that really shouldn't be buried like this. When using the OS name resolver, I can point it at a DNS server that I control or trust, and alter resolution with the hosts file if necessary. With TRR, it goes to a provider of Mozilla's choosing that I have no control over and have no reason to trust. This kind of stuff shouldn't be hidden in an obscure, hard-to-find setting.

Re:

[fahrbot-bot]

With TRR, it goes to a provider of Mozilla's choosing that I have no control over and have no reason to trust.

As mentioned in both Mozilla links I included, you can specify the DoH server with "network.trr.uri" :

Link 1: 4. Set "network.trr.uri" to your DoH server. Cloudflare’s is https://mozilla.cloudflare-dns... [cloudflare-dns.com] but you can use any DoH compliant endpoint.

Link 2: Set "network.trr.uri". Ones that you may use: https://mozilla.cloudflare-dns... [cloudflare-dns.com], https://dns.google.com/experim... [google.com]

I believe I read that Google is considering a GUI implementation for the DoH configuration for Chrome.

Re:

[_merlin]

So it can be changed in another buried setting that I have to fuck around searching for and won't remember. Lovely. Do I need to get another add-on to manage this like I had to get CookieBro to manage individual cookies? I really hate this dumbing down of the browser.

What's that?

[raymorris]

> Don't use Edge and Facebook blocked in hosts file

What is hosts file and how do you block things in it?

Re:

[DontBeAMoran]

What is hosts file and how do you block things in it?

Oh shit, now you've done it.

Prepare for hosts-related spamming in this thread! Everyone take cover!

Re:

[dryeo]

https://raw.githubusercontent.... [githubusercontent.com]
or start here,
https://github.com/StevenBlack... [github.com]

Re:

[Anonymous Coward]

I may not use Facebook. But it provides some value to many of the users. To protect their IP, Facebook may implement certain features explicitly through flash. Nothing wrong with that. They spent resources on it and want to keep it away from the competitors.

However if I figure it out on my own or would like to protect my IP similar to how FB does, visitors to my site would be shown a warning and discouraged from enabling the nice feature I developed. I am at an unfair disadvantage at this point.

Also, flash

Re:

[jellomizer]

The issue isn't DRM, but the fact that Facebook has an unfair advantage, in terms of it having Flash greenlighted to them. While someone else, if they chose to use flash will get warnings, and wouldn't have the resources to get MS to green-light it for them.

Re:Hardware firewall

[green1]

As pointed out earlier by another poster, that's getting harder and harder as well.

More programs *cough*Chrome*cough* are using their own internal resolvers instead of the system one, and running those over HTTPS specifically to bypass local domain blocks. IP blocks are also difficult with today's CDNs with large numbers of ever changing IPs, and domain based virtual hosts.

Sure, you can get around all this for now, but I'm not sure that long term you'll be able to.

Re: Hardware firewall

[cunina]

Chrome does DNS query caching; it doesnâ(TM)t have its own DNS it consults.

Re:

[green1]

After investigating, it looks like Google backtracked on it, and removed the async dns resolver a little while ago (here's a post that talks about what it was: https://discourse.pi-hole.net/t/disable-async-dns-resolver-in-google-chrome/9500)

So yes, Chrome DID have it's own internal resolver, but they seem to have backtracked and now only have a cache (which still will cause problems if you're switching between servers such as internal corporate DNS to outside world when you connect/disconnect your company V

Both Edge users are terribly upset

[spywhere]

(sorry)

Re:

[DickBreath]

Why are you sorry? Both Edge users aren't upset, but are happy that they can play their Facebook Flash games. And that is probably about the only thing that a Microsoft browser is good for. Especially since REAL browsers aren't the most welcoming of Flash. And Facebook and its third parties cannot be bothered to migrate from Flash to a more 21st century technology.

Yet again I calll for browser indepenance

[xack]

And yet again no one listens. I expect Mozilla and Google have "secret lists" too. Brave was recently exposed sending "secret headers" to certain websites too.

Re:

[rudy_wayne]

Feel free to go ahead and develop an independent browser. Nobody is stopping you.

Oh, that's right, you want somebody else to do it.

Re:Yet again I calll for browser indepenance

[green1]

Not everyone is a skilled coder. Some people just want to use the internet without being a victim. Telling them to build their own browser isn't exactly helpful.

Re:

[religionofpeas]

Feel free to go ahead and develop your own internet, then.

Re:

[Dragonslicer]

Feel free to go ahead and develop your own internet, then.

But this one already has blackjack and hookers, so what's the point?

Re:

[WCMI92]

A hosts file doesn't take any great amount of expertise to edit.

The problem is that in Windows 10 and the later versions of Windows server not even Administrator is Administrator.

So Microsoft trusts Facebook more than it's customers. That is like trusting a burglar over a homeowner. And I am not at all wrong in the comparison. Zuckerberg/Sandberg are known abusers.

Re:

[scdeimos]

The problem is that in Windows 10 and the later versions of Windows server not even Administrator is Administrator.

UAC has been around since at least Windows Vista. Has nobody ever shown you the Run as Administrator options so you can do administrative things with the Administrator account?

Re:

[grep -v '.*' *]

Not everyone is a skilled coder. Telling them to build their own browser isn't exactly helpful.

??? You don't need to, it's all easy enough -- doesn't everyone know "telnet site 80"? It's all that math at 443 that's hard -- the sage Barbie was PRESCIENT! [youtube.com]

Although binary-decoding moving GIFs in your head in real-time IS fairly hard, I'll give you that.

Re:

[Waccoon]

More appropriately, many of the problems we experience in communication technology are driven by politics. It's really hard to develop a technical solution to a political problem, no matter how much skill and spare time you have.

I've been running my own e-mail server for over 15 years, because I don't want my ISP or a media mogul to do it for me. Ask me how many mails I can actually send/receive with so many big networks blacklisting smaller domains they don't recognize. Oh well... might as well give up

Re:

[green1]

I've been running my own mail server for almost 20 years. I have no trouble sending or receiving mail to any of the big players. There are a couple of caveats though, you must have several things in place in the modern world of email:
- you must be hosted on a "server" IP, if big names think it's a dynamic or residential IP, you'll never get through.
- Reverse DNS that matches your domain's MX
- SPF records
- DKIM signatures
- DMARC records
- No open relays, all your users must be authenticated.
- Never let SPAM,

THIS is why closed-source is bad

[Anonymous Coward]

I mean, come on, the fact they encrypted the list and it had to be brute-forced meant that a) Microsoft didn't want us know and b) they knew it was sneaky. How much more anti-consumer can a program be -- it was hiding intentional violations of its own touted 'security policies' for some privileged group that isn't the user.

Re:

[thegarbz]

Did you post this from a personally vetted browser? Or do you just assume because something is magically open source that someone else trustworthy vetted it for you?

How is this different from other browsers?

[The MAZZTer]

In the transition time to deprecating Flash and removing it from browsers entirely, there are still sites that use Flash and users of those sites which rely on it. So, all of the browsers have a whitelist which allows some sites to continue working while preventing others from introducing brand-new Flash content. This helps with the transition. Eventually the browsers narrow this list down in scope and add more security barriers in front of Flash until they can remove it entirely. That sounds exactly like what is happening here; the whitelist is down to two entries both of which are extremely popular sites. The whitelist and Flash itself will likely be removed at some point. I am not sure why the cause for alarm here; it wasn't too long ago that flash ran by default on ALL websites.

I think the only real point of concern here is the lack of click to play, especially since anyone can make a Flash app with who knows what spyware as content and get it uploaded as a Facebook app.

Re:

[tepples]

Flash has been dangerous to run for 20 years

Twenty years ago, what would have been superior to Flash for making things like All Your Base, Hatt-baby, Hyakugojyuuichi, Badger Badger Badger, Weebl and Bob, Homestar Runner, and everything on Newgrounds? Consider that many people still had 0.05 Mbps Internet at the time.

Re:

[dunkelfalke]

It would still be superior for that task. All that classic stuff has been converted to streaming video nowadays, eating far more bandwidth, yet with worse quality.

Re:How is this different from other browsers?

[viperidaenz]

Because it's a "secret" list users don't have the ability to change.

Facebook obviously doesn't need to use Flash to function, as Chrome and Firefox don't have this exemption.

Re:

[jbmartin6]

More interesting, perhaps, is Facebook knew nothing about it and asked for their domains to be removed. At least that is what they said.

vmware

[nnet]

and vsphere mgmt.

Re:

[DontBeAMoran]

You think FACEBOOK has been too small and without have enough ressources to remove anything Flash-related for the last decade?

Re:

[AHuxley]

Ad company gets the approved power to do that?

Re:

[rudy_wayne]

And you know this because you have carefully examined every line of source code, right?

Re:

[JustAnotherOldGuy]

...and compiled it yourself?

Yes, and I wrote the compiler and fabricated the integrated circuits myself.

Re:

[viperidaenz]

Which has supported Flash since 1996

Re:

[green1]

Navigator? c'mon, real men use lynx!

Re:

[chthon]

Emacs M-x browse-web

Re:

[PPH]

NCSA Mosaic.

So it's trivial for a wifi portal to run Flash

[viperidaenz]

All you need to do is redirect your "WiFi login" page to a whitelisted domain, MITM that domain, since you control the wifi network, and deliver what ever malicious Flash content you desire.
Easy to do, since the whitelist is not restricted to HTTPS connections.

Facebook can't be trusted

[WCMI92]

As even Apple has learned. Now Microsoft will be burned.

Re:

[strikethree]

As even Apple has learned. Now Microsoft will be burned.

Really?! Microsoft gave themselves access to ALL of your files and you think that THIS misuse of trust is the one that will get them?

Pardon me for a second. I can't type while I am laughing so hard. I think I might be getting a broken rib here. OMGWTFBBQ

Who still uses Edge?

[Locke2005]

Other than as the world's most popular method of downloading Chrome...

Ohhhhh

[JustAnotherOldGuy]

Nothing nefarious here, just good ol' Microsoft secretly fucking over you and your PC behind your back.

I will say this is different; usually they do it right to your face.

So glad I switched to Mint, not that I ever would have allowed Edge* to run. The ONLY thing Edge might be good for is downloading another browser, beyond that it's pure rubbish.

.

*Edge, AKA "The Little Browser That Couldn't"

MS chrome browser

[sad_]

expect the same tricks from the MS chrome based browser, another reason just to not use it.
changing rendering engines will not make me change my mind.