Microsoft Edge vulnerable to cookie and password theft

By: Costea Lestoc
2 minute read

The Microsoft Edge browser seems to have a severe password vulnerability. Recent reports reveal that attackers or hackers could easily obtain user password and cookie files for online accounts, a vulnerability that was discovered by security expert Manuel Caballero, someone with vast experience of unearthing Edge and Internet Explorer bugs and flaws.

Attackers can bypass Edge’s SOP protection

The vulnerability lets an attacker load and execute malicious code using data URIs, Meta refresh tag, and domainless pages such as about:blank. This exploitation technique has many variations and Caballero showed the ways in which a hacker could execute code on high-profile sites just by tricking users to access a malicious URL.

Caballero showed three demos in which he executed code on the Bing homepage, tweeted in the name of another user, and stole the password and cookie files from a Twitter account.

The last attack re-exposed a security error in the design of modern browsers: the hacker’s ability to logout a user, load a login page, and steal the user’s credentials automatically filled in by the browser’s password autofill feature.

The vulnerability is still unpatched. For this reason, Caballero provided demos to download so users can inspect the source code and make sure their passwords and cookies aren’t uploaded anywhere.

Attacks are automated by malvertising

It also seems that attacks can be customized to dump the passwords or cookies of more online services such as Amazon, Facebook, and more. Only Edge is affected because “UXSS/SOP bypasses tend to be particular to each browser.”

Modern ads deliver JavaScript code to browsers and this is why attackers can facilitate malvertising campaigns to automate the delivery of this exploit to a huge amount of victims.

For more information, you can read Caballero’s technical description of the issue.

RELATED STORIES TO CHECK OUT:

For various PC problems, we recommend this tool.

This software will repair common computer errors, protect you from file loss, malware, hardware failure and optimize your PC for maximum performance. Fix PC issues now in 3 easy steps:

  1. Download this PC Repair Tool rated "Excellent" on TrustPilot.com.
  2. Click “Start Scan” to find Windows issues that could be causing PC problems.
  3. Click “Repair All” to fix all issues with Patended Technologies (requires upgrade).

Discussions

Next up

Best Windows 10 antivirus software to use in 2018

By: Radu Tyrsina
7 minute read

Update – 2018 will soon come to an end and we already have a guide on what is the best antivirus you should get in […]

Continue Reading

These features are out for good with Windows 10 version 1809

iamsovy@gmail.com' By: Sovan Mandal
2 minute read

Microsoft is all set to launch its next big update, Windows 10 version 1809 in October. While that should be a nice piece of news […]

Continue Reading

Windows 10 18H2 builds no longer receive new features

By: Matthew Adams
3 minute read

The Windows 10 October 2018 Update (otherwise 18H2) rollout might now be two to three weeks away. For the last few months, new build previews […]

Continue Reading