Security researcher Manuel Caballero has discovered a vulnerability in the code of Microsoft's default browser for Windows 10, that can allow the theft of password and cookie data from your computer, giving unauthorized access to sites such as Facebook and Twitter.
As he explains, the issue stems from a problem with the Same Origin Policy (SOP) in Edge, which is a security measure that seeks to stop such data used on one domain from being accessed via another. However, it seems that Microsoft's implementation of the policy leaves much to be desired, with this being the third such flaw discovered in the policy.
Even worse, the two methods discovered previously have still not been patched in the latest updates for Windows, and according to Caballero, his method is even faster and more direct. He points to Microsoft's relatively inconsistent patching cycle compared to other browsers like Chrome and Firefox as being to blame.
Callabero posted the above YouTube video as a proof of concept for the exploit, and has a detailed run-down on it on his blog.
The discovery comes just days after Google's Project Zero discovered a vulnerability in Windows 10 that they described as 'crazy bad' and 'the worst' in recent memory. The vulnerability was fixed by Microsoft soon after the discovery.
Source: Manuel Callabero via ON MSFT
38 Comments - Add comment