Microsoft WebView2 phishing technique can bypass MFA and steal login cookies


A cybersecurity researcher has developed a new phishing technique that can bypass multi-factor authentication and steal login cookies through Microsoft Corp’s Edge WebView2.

WebView2 is a runtime environment, or software and instructions that run while a program is running, that provides web functionality in Microsoft 365 desktop apps using Microsoft Edge as the rendering engine. As detailed on June 21 by mr.d0x, the proof-of-concept phishing attack, dubbed “WebView2-Cookie-Stealer”, involves injecting malicious JavaScript code into websites loaded in an application that uses WebView 2.

In one example, mrd0x injected a JavaScript keylogger into a legitimate Microsoft login form loaded using WebView2. The page itself renders normally, but with JavaScript running in the background, the code captures whatever the user types and sends it back to the designated web server.

The method does not stop at keylogging. Taking advantage of the way WebView2 accepts JavaScript, mrd0x was also able to steal all cookies sent by the remote server after a user logged in, including authentication codes.

Mrd0x also explains that WebView2 can be used to steal all cookies available to the current user in Chrome from Google LLC. WebView2 allows an attacker to launch with an existing user date folder rather than creating a new one. The UDF contains all user-related passwords, sessions, and bookmarks.

The methodology could be easily used to steal and import cookies using a simple Chrome extension such as “EditThisCookie”, Bleeping Computer reported Sunday. However, the most concerning aspect is that the attack methodology completely bypasses MFA, one-time passwords and security keys, as cookies are stolen after the user is already logged in.

“This attack demonstrates that while useful, MFA is not a magic bullet against phishing attacks,” Erich Kron, security awareness advocate at the awareness training firm, told SiliconANGLE. to security KnowBe4 Inc. “Additional precautions must be taken to secure accounts and protect organizations from attack.”

Kron explained that the attack relies on a human to take a dangerous action – running a program downloaded from the Internet – to begin its work. This makes it a much smaller threat to the average user than one that requires a more easily disguised method. This especially exposes people who download pirated software or game cheats.

“To protect against such attacks, having a policy against downloading or running unapproved software or browser add-ons, and educating users about the dangers of running such software, may have a reduction significant risk to the organization,” Kron added.

Image: m.d0x

Show your support for our mission by joining our Cube Club and our Cube Event community of experts. Join the community that includes Amazon Web Services and CEO Andy Jassy, ​​Dell Technologies Founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many other luminaries and experts.


Comments are closed.