An information security expert known as mr.d0x has developed a new attack technique that abuses Microsoft Edge WebView2 applications to steal authentication cookies. In theory, this allows bypassing multi-factor authentication when logging into stolen accounts.
Read also: 10 Ways To Recognize and Avoid Phishing Scams.
The new attack technique is called WebView2-Cookie-Stealer and consists of a WebView2 executable file that, when launched, opens a login form in the application to a legitimate site.
You might also be interested to know about TOP 12 Most Dangerous Types of Phishing Attacks 2022.
For example, in the mr.d0x PoC exploit, the executable file opens a legitimate Microsoft login form using an embedded WebView2 element. This login form looks exactly the same as when using a browser and does not contain anything suspicious (typos, strange domain names, and so on).
To do this, the researcher explains, the app creates a Chromium User Data folder the first time it is launched, and then uses it for each subsequent installation. The malicious application then uses the built-in WebView2 interface ICoreWebView2CookieManager to export the cookies received from successful authentication and then pass them to a server controlled by the attacker.
Once the attacker decrypts the cookie (base64), he will have full access to the sites’ authentication cookies, as well as the ability to use them to log into someone else’s account.
Mr.d0x also writes that WebView2 applications can also be used to steal cookies from an existing Chrome user profile by copying them.
Ultimately, an attacker could use these cookies simply by going to the login form for the hijacked account and then importing the cookie using any suitable Chrome extension, such as EditThisCookie. After importing the cookie, all that remains is to refresh the page for authentication on the site.
Even worse, such an attack also bypasses multi-factor authentication, since cookies are stolen after the user has logged in and successfully completed the MFA.
In response, Microsoft developers note that such an attack will require the preparation and use of social engineering, because first attackers need to convince the user to download and run a malicious executable file. The company noted that it always recommends that users avoid running and installing applications from unknown or untrusted sources, as well as keeping security software up to date.