Phishing attack

The smart phishing method bypasses MFA using Microsoft WebView2 applications – BleepingComputer

Identity theft attack

A smart, new phishing technique uses Microsoft Edge WebView2 applications to steal cookies to authenticate the victim, allowing threat actors to bypass multifactor authentication when logging into stolen accounts.

With a large number of data breaches, remote access Trojan attacks and phishing campaigns, stolen login credentials have become plentiful.

However, the growing acceptance of Multifactor Authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also does not have access to the target one-time MFA codes or security keys.

This has led to threat actors and researchers devising new ways to circumvent the MFA, including zero-day website vulnerabilities,, reverse proxiesand smart techniques, such as Browser in browser attack and using VNC for local display of remote browsers.

This week, a cybersecurity researcher mr.d0x has created a new phishing method that uses Microsoft Edge WebView2 applications to easily steal cookies to authenticate users and report stolen accounts, even if they are protected by MFA.

Microsoft Edge WebView2 to help

This new attack of social engineering is called WebView2-Cookie Theft and consists of a WebView2 executable file that, when launched, opens a login form to a legitimate web page within the application.

Microsoft Edge WebView2 allows you to embed a web browser, with full support for HTML, CSS, and JavaScript, directly into your native applications using Microsoft Edge (Chromium) as a rendering engine.

Using this technology, applications can load any website into the original application and display it as if you were opening it in Microsoft Edge.

However, WebView2 also allows the developer to directly access cookies and insert JavaScript into a web page loaded by the application, making it a great tool for recording keystrokes and stealing cookies for authentication and then sending them to a remote server.

In the new mr.d0xa attack, the concept proof executable will open a legitimate Microsoft login form using the built-in WebView2 control.

As you can see below, the login form is displayed exactly as it would be when using a regular browser and does not contain any suspicious elements such as typos, strange domain names, etc.

WebView2 phishing attack that opens a Microsoft login form
WebView2 phishing attack that opens a Microsoft login form
Source: BleepingComputer

As the WebView2 application can insert JavaScript into the page, everything the user enters is automatically sent back to the attacker’s web server.

However, the real power of this type of application is the ability to steal all cookies sent by a remote server after a user logs in, including authentication cookies.

To do this, mr.d0x told BleepingComputer that the application creates a Chromium user data folder the first time it is run, and then uses that folder for each subsequent installation.

The malicious application then uses the embedded WebView2 ‘ICoreWebView2CookieManager‘interface to export site cookies after successful authentication and send them back to the server that controls the attacker, as shown below.

Malicious WebView2 application that recovers stolen cookies
Malicious WebView2 application that recovers stolen cookies
Source: BleepingComputer

Once an attacker decodes base64-encrypted cookies, they will have full access to the site’s authentication cookies and will be able to use them to log in to the account.

Decoded cookies stolen by WebView2
Decoded cookies stolen by WebView2
Source: BleepingComputer

The researcher also found that it was possible to use the WebView2 app to steal cookies for an existing user profile in Chrome by copying their existing Chromium profile.

“WebView2 can be used to steal all available cookies for the current user. This has been successfully tested on Chrome,” he explains. report on this technique mr.d0x.

“WebView2 allows you to boot from an existing user data folder (UDF) instead of creating a new one. UDF contains all passwords, sessions, bookmarks, etc. Chrome’s UDF is located at C: \ Users \\ AppData \ Local \ Google \ Chrome \ User Data.”

“We can simply tell WebView2 to run the instance using this profile and after launching it extracts all the cookies and transfers them to the attacker’s server.”

Asked how an attacker could use those cookies, mr.d0x told BleepingComputer that they could go to the account login form they stole and import cookies using a Chrome extension like ‘EditThisCookie’. Once the cookies are imported, they simply refresh the page to be automatically checked on the website.

What is more worrying is that this attack also bypasses the MFA secured by OTPs or security keys, as cookies are stolen after the user logs in and successfully solves their multifactor authentication challenge.

“Let’s say an attacker places in their webview2 application, and the user logs in, and then cookies can be extracted and exfiled to the attacker’s server.”

“Yubikeys can’t save you because you’re verifying authenticity on the RIGHT website, not on the identity theft website.”


Furthermore, these cookies will be valid until the session expires or until some other verification is performed after the authentication that detects unusual behavior.

“So unless they have some additional POST-AUTHENTICATION checks, then it won’t be detected, and of course it’s not that easy to implement,” mr.d0x told BleepingComputer.

Social engineering is needed for an attack

However, as mr.d0x acknowledges and Microsoft has pointed out in its response to our questions, this attack is a social engineering attack and requires users to run a malicious executable file.

“This social engineering technique requires attackers to persuade a user to download and run a malicious application,” Microsoft told BleepingComputer in a statement regarding the new technique.

“We encourage users to practice safe computing habits, avoid running or installing applications from unknown or unreliable sources, and keep Microsoft Defender (or other anti-malware software) up and running.”

Therefore, asking someone to run an application may require additional work.

In addition, history has shown us that many people “just run things” without thinking about the consequences, whether it’s email attachments, random downloads from the internet, cracks and cheats, and cheating games.

All of these methods have been proven to work with quite a bit of effort, leading to the installation of ransomware, remote access trojans, password theft trojans, and more.

Therefore, a researcher’s WebView2 attack is feasible, especially if it is designed to look like a legitimate installer that requires you to log in first. For example, a fake installer for a Microsoft Office, game, or Zoom client.

Although this attack has not been used in real-world attacks, the researchers ’techniques are used quickly in attacks in the past, so this is something that security administrators and professionals need to look out for.

As for how to protect yourself from these attacks, all the regular cyber security tips remain the same.

Do not open unknown attachments, especially if they are executable, scan files you download from the Internet, and do not enter your credentials into the application unless you are 100% sure that the program is legitimate.

#smart #phishing #method #bypasses #MFA #Microsoft #WebView2 #applications #BleepingComputer

Leave a Comment

Your email address will not be published.