Keypoints
- Guardio Labs found CVE-2024-21388: a private Edge API (edgeMarketingPagePrivate.installTheme) that could install browser extensions without user interaction.
- The API was exposed to a list of Microsoft-owned domains (e.g., bing.com, microsoft.com), giving those pages privileged access to install themes/extensions.
- The implementation failed to validate extension type/ID, allowing an attacker to pass an extension ID and manifest to install arbitrary extensions silently.
- Exploitation vectors include XSS on privileged domains or a low-privileged extension that injects scripts into those domains to call the private API.
- Proof-of-concept used a simple content script that injects an inline script via createElement (data: URL) to call chrome.edgeMarketingPagePrivate.installTheme with a target extension ID and manifest.
- Microsoft fixed the issue by validating extension ID and type (restricting installs to themes) and shipped the patch in Edge version 121.0.2277.98.
- Residual risk remains because extensions can still inject code into privileged domains; domain-based privileges alone are insufficient protection.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Abusing XSS or other vulnerabilities on privileged Microsoft domains to reach the private API and trigger installs; quote: ‘This vulnerability enabled anyone with a method to run JavaScript on bing.com or microsoft.com pages to install any extensions from the Edge Add-ons Store without the user’s consent or interaction.’
- [T1059.007] Command and Scripting Interpreter: JavaScript – Injected JavaScript in the page context calls the private API to perform silent installs; quote: ‘That script will then call the private API at chrome.edgeMarketingPagePrivate.installTheme causing Bing to initiate a new silent extension install!’
- [T1068] Exploitation for Privilege Escalation – Using the API to install more powerful extensions elevates attacker capabilities beyond the original low-privilege extension; quote: ‘This is an “Elevation of Privilege” issue and was classified as Moderate…’
- [T1176] Browser Extensions – A benign-looking stage-1 extension injects code into privileged pages to trigger the silent installation of stage-2 extensions for persistence; quote: ‘All the extension needs to do is add or replace one of the scripts in, let’s say bing.com and make it call the above API.’
- [T1036] Masquerading – Attackers can disguise malicious stage-1 extensions as legitimate productivity tools to evade detection and gain initial foothold; quote: ‘It’s relatively easy for attackers to trick users into installing an extension that appears harmless…’
- [T1027] Obfuscated Files or Information – The indirect use of a private API and script injection can obscure malicious intent and hinder detection; quote: ‘The use of a private API and indirect methods to install extensions could be seen as obfuscation to avoid detection…’
- [T1555] Credentials from Password Stores – Malicious extensions installed via this vector could access stored credentials in the browser; quote: ‘Attackers could leverage browser extensions to access stored credentials.’
Indicators of Compromise
- [Domain] privileged Microsoft contexts – examples: https://www.bing.com/*, https://www.microsoft.com/* (API accessible from multiple Microsoft-owned domains listed in the article)
- [Private API] Edge marketing API – chrome.edgeMarketingPagePrivate.installTheme, edgeMarketingPagePrivate (method used to install themes/extensions)
- [Extension Manifest / Name] PoC stage-1 extension – “edge-extension-install-poc-conetntscript” (manifest snippet shown in the article), and a simple content_scripts entry targeting https://www.bing.com/*
- [Script payload] injected JavaScript – POC injectScript that creates a data:application/javascript script calling chrome.edgeMarketingPagePrivate.installTheme (shown in article)
- [Installed Extension Example] illustrative install target – uBlock (referenced in POC as an example of an installed extension)
Guardio analyzed Edge’s packaged resources.pak to compare customization entries and discovered a private API, edgeMarketingPagePrivate, granted to Microsoft-owned web contexts. The API included an installTheme method and a matches list that allowed pages like bing.com and microsoft.com to call privileged browser functions; the implementation accepted a themeId and manifest without verifying that the ID corresponded to a theme.
The practical exploit path involved either exploiting an XSS on a privileged domain or using a low-privilege extension (stage‑1) that injects an inline script into the privileged page context. The PoC uses a content script that appends a script element with a data: URL payload; that injected script constructs a manifest JSON and calls chrome.edgeMarketingPagePrivate.installTheme(‘{TARGET_EXTENSION_ID}’, manifestJson, console.log) to trigger a silent installation of an arbitrary extension.
Microsoft mitigated the flaw by adding validation to ensure the API only installs themes (checking extension ID/type), and the fix shipped in Edge 121.0.2277.98. The report notes residual risk: extensions can still inject code into privileged domains, so relying solely on domain-based access for private APIs remains a fragile control.