DuckDuckGo has been many users’ go-to choice when they need a privacy-friendly alternative to Google. The company has also released a browser extension that can prevent tracking and offers private web browsing on Google Chrome, Mozilla Firefox, and Microsoft Edge. Now, a severe vulnerability on the popular extension, DuckDuckGo Privacy Essentials, is putting Microsoft Edge users’ privacy at risk.
DuckDuckGo risked Edge privacy
The vulnerability uses the universal cross-site scripting technology to snoop into the victim’s internet browsing activity, defeating the purpose of the DuckDuckGo browser extension in the first strike.
Since the attack could be based on a uXSS flaw, the attacker can achieve almost-complete control of a device where a user has installed the DuckDuckGo Privacy Essentials extensions. In addition to gaining access to the web browsing history and sensitive information, the attacker can also run arbitrary code on any domain the user is visiting, according to this report.
Nevertheless, it is worth noting that a random attacker can exploit this vulnerability. A hacker needs to access the core server to deploy the real threats from this issue. Simultaneously, it is easy for DuckDuckGo, its hosting provider, and even government agencies to know the complete whereabouts of a user once server-access is provided.
Once an attacker has ensured this access, they can use the privileged position and exploit the vulnerability to view and manipulate what a user sees on the browser screen. For instance, an attacker may manipulate online banking sessions to receive the login credentials or silently move funds.
If this happens, even the lines of communications secured with military-grade encryption will become transparent to the attacker. Though the chances of an attacker gaining all these privileges are meager, the results could be catastrophic. It is why the lack of a patch becomes a severe concern for Microsoft Edge. It is still unclear when DuckDuckGo plans to release the Microsoft Edge browser patch.
The company has issued patches for both Chrome and Firefox, but Microsoft Edge is still on the compromised list.
Meanwhile, if you have installed DuckDuckGo Privacy Essentials on your Microsoft Edge, you should better uninstall it until an official patch arrives. Chrome and Firefox users should ensure that you have updated this extension.