DuckDuckGo is one of the favorite search options for users who flee from Google and are aware of the cause of privacy on the web.
The official DuckDuckGo browser extension exposed the privacy of its users for months
So, to make it easier to use (and incidentally add features such as blocking ad tracking networks) its creators also launched extensions for the main browsers: Firefox, Chrome, and MS Edge.
The problem is that now it has been discovered that, for several months, DuckDuckGo Privacy Essentials has been putting at risk, precisely, the privacy of its users. How so?
Small vulnerability, huge potential consequences
We are dealing with a case of uXSS (universal cross-site scripting) vulnerability, in which the attacker can inject arbitrary malicious code into web pages visited by the user using some scripting language (often JavaScript) and exploiting client-side vulnerabilities.
This allows the attacker to access the browser history and all sensitive information entered by the user (such as data linked to their bank account), as well as altering the information displayed on the user’s screen.
The chances of an attacker ever gaining such a degree of access are slim, but the potential results are still catastrophic even if you are a user of secure browsing tools such as SecureDrop or ProtonMail.
The good news, in this case, is that this kind of attack can only be executed by someone who controls the server http://staticcdn.duckduckgo.com.
That is, in principle, by the DuckDuckGo company itself. But it could also be exploited by its hosting provider (none other than Microsoft, through Azure) or by an attacker who takes over that server (cybercriminals, government agencies, etc.).
According to Wladimir Palant, the creator of Adblock Plus, and the researcher who originally detected the vulnerability, this vulnerability has been operational for several months, and it has not been until the last few days, with the release of version 2021.3.8 of the extension for the three major browsers, that it has finally been fixed.
