A new phishing technique could abuse Microsoft Edge WebView2 applications to steal victims’ authentication cookies, using which hackers bypass MFA for logging accounts.

A new phishing technique 

A researcher known as mr. d0x has devised a new phishing method dubbed WebView2-Cookie-Stealer.
  • The attack includes a WebView2 executable, for which the researcher created a proof-of-concept that opens a genuine Microsoft login form.
  • The attack allows an attacker to directly access cookies and insert JavaScript inside a webpage loaded by an application to log keystrokes and steal authentication cookies.
  • Additionally, the researcher disclosed that it was possible to use the WebView2 application to steal cookies from an existing Chrome user profile by just copying their existing Chromium profile.

How does the attack work?

The researcher claims that the attack is a social engineering attack and a user has to run a malicious executable.
  • When launched, it opens up a genuine website's login form inside the application.
  • The login form does not include any suspicious elements such as typos and strange domain names. 
  • As the WebView2 app can insert JavaScript into the page, whatever a user types is sent back to the attacker’s web server.
  • Thus, the application can steal any cookies sent by the remote server after a user logs in.

Conclusion

The phishing technique makes it possible to even bypass security mechanisms such as MFA. Thus, experts suggest following best cyber practices, avoiding the installation of apps from untrusted sources; and always implementing Microsoft Defender or anti-malware software.
Cyware Publisher

Publisher

Cyware