While Shivam runs his own business and is a part-time bug bounty hunt, Vansh has completed his third year in B.Tech Computer Science from Lovely Professional University and is a cyber security enthusiast.
The security vulnerability, tracked as CVE-2021-34506, has been fixed in the latest release of the Microsoft Edge Stable Channel (version 91.0.864.59). The impact of the security flaw was severe because whoever was using the website microsoft edge browser And press the language translation button to read the content in their preferred language, injecting an arbitrary code to do whatever they wanted.
“We created a profile on Facebook with the name in different language and xss payload and sent a friend request to the victim (he is using Microsoft Edge) as soon as he checked the profile it got hacked (SCC popup due to auto translation),” explained Vansh Devgan who is on CyberExplore with this friend Shivam Kumar Singh is running a private limited.
The only prerequisites for running arbitrary code were simple: use the Microsoft Edge browser and keep autotranslation turned on. Explaining the payload, the CyberExplore team said in their blog post, “We have written a review on Google HackENews for a company with different language + XSS payload Anyone browsing that review link got hacked (XSS popup due to auto translation).
Both claimed that they were also able to bypass YouTube and Windows Store applications by exploiting this vulnerability.
“Unlike normal XSS attacks, UXSS is a type of attack that exploits client-side vulnerabilities in a browser or browser extension to generate an XSS state and execute malicious code. When such vulnerabilities are found and exploited, browser behavior is affected and its security features may be bypassed or disabled,” he explained.
.