Microsoft Edge vulnerable to cookie and password theft
The Microsoft Edge browser seems to have a severe password vulnerability. Recent reports reveal that attackers or hackers could easily obtain user password and cookie files for online accounts, a vulnerability that was discovered by security expert Manuel Caballero, someone with vast experience of unearthing Edge and Internet Explorer bugs and flaws.
Attackers can bypass Edge’s SOP protection
The vulnerability lets an attacker load and execute malicious code using data URIs, Meta refresh tag, and domainless pages such as about:blank. This exploitation technique has many variations and Caballero showed the ways in which a hacker could execute code on high-profile sites just by tricking users to access a malicious URL.
The last attack re-exposed a security error in the design of modern browsers: the hacker’s ability to logout a user, load a login page, and steal the user’s credentials automatically filled in by the browser’s password autofill feature.
The vulnerability is still unpatched. For this reason, Caballero provided demos to download so users can inspect the source code and make sure their passwords and cookies aren’t uploaded anywhere.
Attacks are automated by malvertising
It also seems that attacks can be customized to dump the passwords or cookies of more online services such as Amazon, Facebook, and more. Only Edge is affected because “UXSS/SOP bypasses tend to be particular to each browser.”
For more information, you can read Caballero’s technical description of the issue.
RELATED STORIES TO CHECK OUT:
- This is why the new version of Microsoft Edge doesn’t impress users
- Enable full screen on Microsoft Edge with this simple command
- Zoom in Microsoft Edge with this new extension
Microsoft recently rolled out the Windows 10 Build 18298. Let’s see what we can look forward to seeing in the near future. Before we start, […]
Windows File Protection happens to be a built-in Windows feature designed to protect critical system files from getting replaced or overwritten, be it inadvertently or […]
Christmas is almost here, and if you’re planning to do so shopping, we suggest that you have a look at these great USB gadgets for […]