A vulnerability in Microsoft Edge allowed attackers to steal local files when the victims opened a specially crafted HTML file. The leak in the default browser of Windows 10 bypassed the Same Origin Policy (SOP) security measure.
Ziyahan Albeniz from security company Netsparker discovered the issue and explains that SOP should normally prevent access to local files. Normally, the browser only opens content from the same origin in another page. The protocol, host name and port of a URL need to be same. This means that e.g. an image loaded over HTTP (http://) can be loaded in a page that is loaded over HTTP and local files (file://) can only be accessed through a page that was loaded over that same file system. If the protocol, host name or port are not the same, a file will not load inside the page.
Because the Windows 10 Mail and Calendar app also didn’t block .HTML file attachments, the attack was fairly easy to perform if the user used the app as their mail client. Most mail clients would block, or at least mark, .HTML files as unsafe, but the Windows 10 Mail and Calendar app didn’t.
Microsoft now fixed the issue in both Edge and the Mail and Calendar app. No other browsers were affected.