Threat actors could leverage a new phishing technique involving Microsoft Edge WebView2 applications in an effort to exfiltrate authentication cookies without being averted by multi-factor authentication, according to BleepingComputer.
Developed by cybersecurity researcher mr.d0x, the new WebView2-Cookie-Stealer attack includes a WebView2 executable that prompts a legitimate site's login form, which is free from suspicious elements. WebView2 applications could be used to create a Chromium User Data folder and export the stolen cookies using the WebView2 'ICoreWebView2CookieManager' interface. Site authentication cookies could be completely accessed upon decoding of base64-encoded cookies, said the report.
"WebView2 can be used to steal all available cookies for the current user. This was successfully tested on Chrome. WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks etc. Chromes UDF is located at C:UsersAppDataLocalGoogleChromeUser Data. We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker's server," mr.d0x said.
Vulnerability Management, Vulnerability Management, Application security
Microsoft WebView2 apps used in novel phishing technique
An In-Depth Guide to Application Security
Get essential knowledge and practical strategies to fortify your applications.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds