Security News DuckDuckGo Browser UXSS Flaw in Auto Consent JS Bridge Enables Cross-Origin Code Execution

Parkinsond

Level 62
Thread author
Verified
Well-known
Dec 6, 2023
5,190
14,818
6,069
A critical Universal Cross-Site Scripting (UXSS) vulnerability was recently discovered in the DuckDuckGo Android browser.

This flaw allowed untrusted, cross-origin iframes to execute arbitrary JavaScript in the top-level origin, tracked with a high-severity CVSS score of 8.6.

The vulnerability stems from the “AutoconsentAndroid” JavaScript bridge, a native component injected into web pages loaded by the DuckDuckGo Android application (com.duckduckgo.mobile.android).

This bridge is designed to facilitate seamless communication between the browser’s native Android code and the web page displayed.

However, it failed to implement proper security checks, leading to a severe breach of the Same-Origin Policy (SOP).

UXSS is considered a critical browser-class vulnerability because it can be exploited without user interaction.

 
Search quality. Horrible name, logo and graphics. Search page is a junk pile, but DDG bills itself as "Protection. Privacy. Peace of mind." :LOL:👎👎

DDG browser: who needs another browser in the browser wars? :LOL:
 
Search quality. Horrible name, logo and graphics. Search page is a junk pile, but DDG bills itself as "Protection. Privacy. Peace of mind." :LOL:👎👎

DDG browser: who needs another browser in the browser wars? :LOL:
The fastest browser on earth

Excited School GIF
 
Saying that I wonder what the use case is for DDG search when you use Gmail as your main email or a Android phone. Logically is doesn't make sense to use DDG.
DDG uses Bing engine; their results are very close.
Startpage and Ecosia use Google engine.
Yandex God knows what they are using 😂

Bing/DDG are fine for scientific search.
Google/Startpage/Ecosia are good too, with an advantage of better general search.
Yandex has the advantage of not following Western restrictions, thus gets the best match for piracy websites :cool:
 
DDG uses Bing engine; their results are very close.
Startpage and Ecosia use Google engine.
Yandex God knows what they are using 😂

Bing/DDG are fine for scientific search.
Google/Startpage/Ecosia are good too, with an advantage of better general search.
Yandex has the advantage of not following Western restrictions, thus gets the best match for piracy websites :cool:
Brave Search beats DDG hands-down.
Saying that I wonder what the use case is for DDG search when you use Gmail as your main email or a Android phone. Logically is doesn't make sense to use DDG.
You may have a valid point. I use Brave Search in Chrome on Android and Windows. It's also clutter-free and more eye pleasing than others I've used. I use G now and then.
 
It's not my favorite, but DuckDuckGo's results have likely improved alongside Bing's own noticeable progress. The search layout doesn't look too bad. They've also made it highly customizable from built-in settings. The brand is still silly.

Brave Search has proven highly usable for me. It's easy, fast, and keeps a clean layout. I usually fall back to Startpage if I want to supplement with Google results.

It's interesting to recall how far back DuckDuckGo's history reaches—it all started in 2008. DDG publicly stated that their annual revenue exceeded $100M back in 2021, 13 years after it was founded. Brave just passed $100M in annual revenue in 2025, 10 years after it was founded in 2015.

Brave operating an independent search index costs them significantly more than just paying Bing, but DDG handles ~100 million daily queries, nearly twice as many as Brave's ~53 million announced in 2025. Brave Search launched in 2021. The growth achieved by Brave is impressive.