DuckDuckGo: UXSS Vulnerability in DuckDuckGo Browser’s AutoConsent JS Bridge Allows Cross-Origin Attacks

DuckDuckGo Android Browser Patched for Critical UXSS Vulnerability

A high-severity vulnerability in the DuckDuckGo browser for Android was recently disclosed, exposing users to Universal Cross-Site Scripting (UXSS) attacks. The flaw, discovered in the browser’s AutoConsent JS bridge, allowed malicious code from untrusted sources to execute on trusted webpages, bypassing the Same-Origin Policy (SOP).

Security researcher Dhiraj Mishra reported the issue via HackerOne, revealing that the AutoconsentAndroid Java bridge designed to automate cookie consent pop-ups failed to validate message origins. The bridge accepted commands from any iframe, including cross-origin ones, without authentication, enabling attackers to inject arbitrary JavaScript into the main webpage.

A proof-of-concept (PoC) demonstrated the exploit: a hidden malicious iframe could alter the content of a victim page, confirming the SOP bypass. The vulnerability, assigned a CVSS score of 8.6 (High), could have been exploited to steal cookies, hijack sessions, or manipulate website content all without user interaction.

DuckDuckGo has since patched the flaw in recent updates to the com.duckduckgo.mobile.android app. The fix ensures the AutoConsent bridge now properly verifies message origins, preventing unauthorized script execution. Users were advised to update to the latest version to mitigate risks.

Source: https://gbhackers.com/uxss-vulnerability-in-duckduckgo-browsers/

DuckDuckGo cybersecurity rating report: https://www.rankiteo.com/company/duck-duck-go

"id": "DUC1772461435",
"linkid": "duck-duck-go",
"type": "Vulnerability",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"

{'affected_entities': [{'customers_affected': 'Users of DuckDuckGo Android '
                                              'browser',
                        'industry': 'Technology (Search Engine/Browser)',
                        'name': 'DuckDuckGo',
                        'type': 'Company'}],
 'attack_vector': 'Malicious iframe injection',
 'customer_advisories': 'Users advised to update to the latest version of '
                        'DuckDuckGo Android browser.',
 'data_breach': {'personally_identifiable_information': 'Potential (cookies, '
                                                        'session data)',
                 'sensitivity_of_data': 'High (session hijacking, PII exposure '
                                        'risk)',
                 'type_of_data_compromised': 'Cookies, session tokens, webpage '
                                             'content'},
 'description': 'A high-severity vulnerability in the DuckDuckGo browser for '
                'Android was discovered, exposing users to Universal '
                'Cross-Site Scripting (UXSS) attacks. The flaw in the '
                'browser’s AutoConsent JS bridge allowed malicious code from '
                'untrusted sources to execute on trusted webpages, bypassing '
                'the Same-Origin Policy (SOP).',
 'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
                                       'security flaw',
            'data_compromised': 'Cookies, session data, website content '
                                'manipulation',
            'identity_theft_risk': 'High (session hijacking, cookie theft)',
            'systems_affected': 'DuckDuckGo Android browser '
                                '(com.duckduckgo.mobile.android)'},
 'investigation_status': 'Resolved (patched)',
 'lessons_learned': 'Importance of origin validation in JavaScript bridges to '
                    'prevent UXSS attacks; need for rigorous security testing '
                    'of browser extensions and integrations.',
 'post_incident_analysis': {'corrective_actions': 'Implemented origin '
                                                  'validation in the '
                                                  'AutoConsent JS bridge to '
                                                  'prevent unauthorized script '
                                                  'execution.',
                            'root_causes': 'Lack of origin validation in '
                                           'AutoConsent JS bridge, allowing '
                                           'cross-origin iframes to execute '
                                           'arbitrary JavaScript.'},
 'recommendations': '1. Ensure all JavaScript bridges validate message '
                    'origins. 2. Conduct regular security audits of browser '
                    'components. 3. Encourage users to update to patched '
                    'versions promptly. 4. Implement sandboxing for '
                    'third-party iframes.',
 'references': [{'source': 'HackerOne Report'},
                {'source': 'Security Researcher (Dhiraj Mishra)'}],
 'response': {'communication_strategy': 'Advisory to users to update to the '
                                        'latest version',
              'containment_measures': 'Patch released to verify message '
                                      'origins in AutoConsent JS bridge',
              'remediation_measures': 'Fixed in recent updates to '
                                      'com.duckduckgo.mobile.android',
              'third_party_assistance': 'HackerOne (vulnerability reported via '
                                        'bug bounty program)'},
 'title': 'DuckDuckGo Android Browser Patched for Critical UXSS Vulnerability',
 'type': 'Vulnerability Exploitation',
 'vulnerability_exploited': 'AutoConsent JS bridge in DuckDuckGo Android '
                            'browser (UXSS)'}