DuckDuckGo's official browser extension exposed the privacy of its users for months



DuckDuckGo is one of the favorite search options of users who run away from Google and show themselves aware of the cause of privacy in the web.



So, to facilitate its use (and incidentally add functionalities such as blocking advertising tracking networks) its creators they also launched extensions for the main browsers: Firefox, Chrome and MS Edge.



The problem is that it has now been discovered that, over several months, DuckDuckGo Privacy Essentials has been putting at riskprecisely the privacy of its users. How is this?



Small vulnerability, huge (potential) consequences



We are facing a case of uXSS vulnerability (universal cross-site scripting '), in which the attacker is capable of inject arbitrary malicious code into web pages visited by the user using some scripting language (frequently JavaScript) and exploiting vulnerabilities on the client side.







The 12 key extensions in Chrome and Firefox for internet privacy and security





That allows the attacker to access the browser history and to all sensitive information entered by the user (such as the data linked to your bank account), as well as altering the information displayed on the screen by the user.



The chances of an attacker gaining such a degree of access they are scarce, but the potential results are still catastrophic even if you are a user of secure browsing tools like SecureDrop or ProtonMail.



The good news in the present case is that this kind of attack can only be run by someone who controls the server http://staticcdn.duckduckgo.com.



That is, in principle, by the company itself DuckDuckGo. But it could also be taken advantage of by your hosting provider (nothing less than Microsoft, via Azure) or by any attacker take over said server (cybercriminals, government agencies, etc.).



According to Wladimir Palant, the creator of Adblock Plus, and the researcher who originally detected the vulnerability, this vulnerability has been operational for several months, and it has not been until these last days, with the release of the version 2021.3.8 extension for the big three browsers, when it has finally been solved.



So take a look at your extension manager to make sure it has already been updated correctly.