A new attack tactic can exploit the MS WebView2 and evade MFA protocol

New Attack Tactic Exploit MS WebView2 Evade MFA Protocol

Researchers recently discovered a new phishing strategy that could exploit the Microsoft Edge WebView2 applications to exfiltrate and steal authentication cookies. Subsequently, malicious phishing operators can utilise these authentication cookies to avoid the MFA functionality and login accounts effortlessly.

A cybersecurity researcher has developed this new phishing method called “WebView2-Cookie-Stealer.” The devised phishing attack includes a WebView2 executable, which the researcher designed to create a proof-of-concept PoC that opens an authentic Microsoft login form.

The PoC has shown that the attack could enable a threat actor to access cookies directly and attach JS inside a webpage loaded by an application to steal authentication cookies and log keystrokes. In addition, the researcher revealed that threat actors could use the WebView2 application to steal cookies from a saved Google Chrome user profile.

If a malicious attacker can copy a Chromium profile, they will be granted access to the cookies used by the profile owner. This idea indicated that an attacker could steal saved cookies from a user profile without directly infecting its device.

 

The exploit of Microsoft WebView2 is highly dependent on specific tactics and operations to conduct the attack successfully.

 

The attack depends on social engineering strategies, and a user must operate a malicious executable to begin the exploit of WebView2. For the attack to commence, the earlier mentioned steps should be accomplished by a threat actor.

If a user launches the executable, it will open an authentic website’s login form inside the application. The login form does not include suspicious elements such as weird domain names or typos.

The more intriguing part is that whatever a user types on its device will be automatically sent back to an attacker-controlled web server. Hence, the application can also potentially steal cookies sent by the remote server after logging in.

This new phishing strategy makes bypassing security mechanisms such as MFA a possibility. Cybersecurity experts recommend that users follow proper cyber practices, minimise the installation of applications from unknown apps, and always employ Microsoft Defender or any competent anti-malware solution.

About the author

Leave a Reply