web analytics
Home » Technology » New phishing Technique bypasses MFA with Microsoft WebView2 apps

New phishing Technique bypasses MFA with Microsoft WebView2 apps

A security researcher has presented a new phishing method that makes itself complicit in WebView2 applications in Microsoft Edge. The attack bypasses multi-factor authentication and defeats an important security feature.

That reports that Bleeping Computer Online Magazine is an advanced phishing method targeting Windows users. In general, using multi-factor authentication (MFA) makes access to sensitive data more difficult, but once this hurdle is overcome, an attack from the outside is relatively easy. Of the Security researcher, Mr.d0x has now introduced a method that uses Microsoft Edge WebView2 applications to steal authentication cookies from a user. However, this only works if the attacker has already obtained the credentials for the accounts he wants to take over through other leaks. Stealing the MFA is just the last step. Infographic: These are the most successful subject lines in phishing

WebView2 Cookie Stealer

This new social engineering attack, also known as the WebView2 cookie stealer, consists of a WebView2 executable file that, when launched, opens the login form of a legitimate website within the application. WebView2 technology allows applications to load any website into a native application and display it as if it were opened in Microsoft Edge. WebView2 also makes it possible to directly access cookies and inject JavaScript into the web page loaded by an application. This makes it an excellent tool for logging keystrokes and stealing authentication cookies. mr.d0x has demonstrated a proof-of-concept program for this type of attack, which mimics the legitimate Microsoft login form using the built-in WebView2 control and sniffs out all the necessary credentials.

A telltale map

However, the real strength of this type of application is its ability to steal all cookies sent by the remote server after user login, including authentication cookies. As mr.d0x explained to BleepingComputer, the application creates a folder with Chromium user data when it runs for the first time and then uses that folder for each subsequent installation.

The malicious application uses a built-in WebView2 interface to export the website’s cookies after successful authentication and return it to the attacker. Once the attacker has decrypted the base64-encoded cookies, they will have full access to the website authentication cookies and can use them to login into a user account. However, the exploitability of this vulnerability is limited, as victims must first load an executable program, which the hacker then uses to initiate access.

This can also happen undetected, for example via email attachments, random downloads from the internet, cracks, and warez or game cheats. “This social engineering technique requires an attacker to persuade a user to download and run a malicious application,” Microsoft told Bleeping Computer in a statement about the new technique. Microsoft advises: “We encourage users to use safe computer habits, avoid running or installing applications from unknown or untrusted sources, and keep Microsoft Defender (or other anti-malware software) up to date.”