A cybersecurity researcher discovered a new phishing technique that leverages Microsoft WebView2 applications to bypass Multi-Factor Authentication (MFA) and steal login cookies.
The researcher behind the discovery, known as mr.d0x, also published a Browser-in-the-Browser (BITB) attack technique earlier this year.
The newly discovered technique uses Microsoft Edge WebView2 applications to steal victims’ authentication cookies and log in to their accounts even if they’re MFA-protected. The attack is possible through JavaScript injection piggybacking on a built-in WebView2 function.
In the example, mr.d0x used a specially crafted WebView2 application that loaded a JavaScript keylogger injected into a legitimate Microsoft login form. The researcher also showed how the keylogger could fetch keystrokes from within the decoy application.
Retrieving a victim’s login credentials is not nearly enough nowadays, considering that MFA has slowly become standard. However, as mr.d0x showed in its Proof-of-Concept demonstration, WebView2 also boasts cookie extraction capabilities.
“WebView2 also provides built-in functionality to extract cookies,” says the researcher. “This allows an attacker to extract cookies after the user authenticates into the legitimate website.”
In this situation, attackers could simply wait until the victim authenticates into the legitimate website showcased by the malicious app and extract the authentication cookies. This eliminates the need for additional MFA-bypassing or cookie extraction tools.
To make matters worse, the researcher disclosed that WebView2 can also “steal all available cookies for the current user” and that this claim “was successfully tested on Chrome.”
As vicious as this attack may seem, it still requires some social engineering. The victim must first download the malicious file, execute it, then log into their account using the keylogger-infected form within the app.
“This technique has its pros and cons,” as mr.d0x puts it. “The clear trade-off is a binary must be executed on the host machine and the user must enter the credentials into the application.”
To protect yourself against this type of attack, follow healthy cybersecurity protocols, such as:
- Avoid downloading files from unknown sources, including websites, emails, or URLs in messages
- Don’t open suspicious links, especially if you don’t know the sender
- Don’t open unknown attachments, whether they’re documents or executables
- Avoid entering your credentials into untrusted or unknown applications