• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Microsoft Edge Vulnerability Allows Cookie and Password Theft

Recommended Posts

+warwagon    13,037
Quote

 

A vulnerability in the Microsoft Edge browser can be exploited and allow an attacker to obtain a user's password and cookie files for various online accounts.

The vulnerability came to light following research by Manuel Caballero, a security expert who has a long history of unearthing Edge [1, 2] and Internet Explorer flaws [1].

 

Caballero's recent discovery is a bypass of the Same Origin Policy (SOP), a browser security feature that prevents website A from loading and executing scripts loaded from website B.

Vulnerability lets attackers bypass Edge's SOP protection

 

This flaw, which Caballero disclosed today in a headache-inducing technical write-up, allows an attacker to load and execute malicious code with the help of data URIs, meta refresh tag, and domainless pages, such as about:blank.

 

In various variations of the exploitation technique Caballero showed how an attacker could execute code on high-profile sites just by tricking the victim into accessing a malicious URL.

In three proof-of-concept demos, the researcher executed code on the Bing homepage, tweeted on behalf of another user, and stole the password and cookie files from a Twitter account.

The last attack re-exposed a security flaw in the design of modern browsers, such as an attacker's ability to logout a user, load the login page, and steal the user's credentials that are automatically filled in by the browser's password autofill feature.

 

 

 

5
 

https://www.bleepingcomputer.com/news/security/microsoft-edge-vulnerability-allows-cookie-and-password-theft/

 

Checked the front page going back to April 21st and didn't see it posted.

Share this post


Link to post
Share on other sites
tompkin    153

Has anyone seen an estimated time when this might be fixed?

Share this post


Link to post
Share on other sites
+warwagon    13,037
1 hour ago, tompkin said:

Has anyone seen an estimated time when this might be fixed?

 

I don't know, I hadn't heard much coverage about it.

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.