A cybersecurity researcher discovered a new phishing technique that leverages Microsoft WebView2 applications to bypass Multi-Factor Authentication (MFA) and steal login cookies.
Retrieving a victim’s login credentials is not nearly enough nowadays, considering that MFA has slowly become standard. However, as mr.d0x showed in its Proof-of-Concept demonstration, WebView2 also boasts cookie extraction capabilities.
“WebView2 also provides built-in functionality to extract cookies,” says the researcher. “This allows an attacker to extract cookies after the user authenticates into the legitimate website.”
In this situation, attackers could simply wait until the victim authenticates into the legitimate website showcased by the malicious app and extract the authentication cookies. This eliminates the need for additional MFA-bypassing or cookie extraction tools.
To make matters worse, the researcher disclosed that WebView2 can also “steal all available cookies for the current user” and that this claim “was successfully tested on Chrome.”
As vicious as this attack may seem, it still requires some social engineering. The victim must first download the malicious file, execute it, then log into their account using the keylogger-infected form within the app.
“This technique has its pros and cons,” as mr.d0x puts it. “The clear trade-off is a binary must be executed on the host machine and the user must enter the credentials into the application.”
To protect yourself against this type of attack, follow healthy cybersecurity protocols, such as:
- Avoid downloading files from unknown sources, including websites, emails, or URLs in messages
- Don’t open suspicious links, especially if you don’t know the sender
- Don’t open unknown attachments, whether they’re documents or executables
- Avoid entering your credentials into untrusted or unknown applications