What is dangerous about the built-in browser in the application

image

New Phishing Campaign Uses Microsoft Edge WebView2 to Steal Cookies
victims by allowing an attacker to bypass multi-factor authentication (MFA) when logging into a stolen account.

Microsoft Edge WebView2 allows you to embed a web browser into applications using Microsoft Edge as a rendering engine. Using this technology, applications can load any website and display it in the built-in browser.

However, WebView2 also allows the developer to directly access cookies and embed JavaScript on a web page, which makes it a great tool for registering keystrokes and stealing cookies for authentication, and then sending them to a remote server.

The new “WebView2-Cookie-Stealer” campaign uses social engineering and consists of an executable file WebView2which, when launched, opens a login form for a legitimate website in the application.

In a PoC attack by cybersecurity researcher Mr.d0x, the executable opened a Microsoft login form using WebView2. Since the WebView2 application can embed JavaScript on the page, all user keystrokes are automatically sent back to the attacker’s web server.

A cybercriminal can also steal cookies (including authentication cookies) after a user logs in. The attacker can then go to the login form for the compromised account and import cookies for automatic authentication on the site. The attack allows a cybercriminal to bypass the MFA, since cookies are stolen after the user logs in and passes multi-factor authentication.

“This method of social engineering requires an attacker to convince the user to download and run a malicious application. We recommend that users avoid launching or installing applications from unknown sources, as well as maintain up-to-date antivirus software”,— Microsoft said.

Start a discussion …