DuckDuckGo Browser UXSS Vulnerability: Cross-Origin Code Execution via AutoConsent JS Bridge

A critical Universal Cross-Site Scripting (UXSS) flaw hit the DuckDuckGo Android browser. It carried a CVSS score of 8.6. Cross-origin iframes could run arbitrary JavaScript on the top-level page, breaking core browser security.

Security researcher Dhiraj Mishra found the issue. It lived in the AutoconsentAndroid JavaScript bridge. This native code injects into web pages for Android-to-web talks. Poor checks let any frame send messages without origin locks or tokens.

The bridge used an evalhandler on incoming data. It called webView.evaluateJavascript directly on the main document. Malicious iframes thus proxied code to the top context. This smashed the Same-Origin Policy wide open.

No user clicks needed. A hidden iframe on any site could trigger it under default settings. Attackers gained full script power on trusted pages.

DuckDuckGo Said: “We resolved the reported JS bridge issue promptly post-disclosure. All users should update to the latest version.”

Vulnerability Details

Mishra detailed it on Medium. He reported via HackerOne. DuckDuckGo patched it fast in new releases.

Attack Mechanics

• Malicious site loads hidden cross-origin iframe.
• Iframe posts crafted message to AutoconsentAndroid bridge.
• Bridge evals JS on top-level document.
• Attacker steals cookies, tokens, or injects content.

This hit session data hard. Threats could hijack logins on bank sites or email. Default browser setup made it easy to reach.

Mitigation Steps

Update DuckDuckGo Android app now. Check for latest version in Play Store. Enterprises should push auto-updates.

Watch traffic for odd iframe posts. Use Web Application Firewalls to block bridge abuse. Test WebViews in apps for similar gaps.

FAQ