Manuel Caballero, a security researcher that lately seems to have been focusing on finding flaws in Microsoft’s Edge browser, uncovered a new bug that would allow an attacker to steal users’ passwords from popular web services.
Bypassing Same Origin Policy
A same origin policy (SOP) is an important security concept for web applications that prevents malicious code on one web page from gaining access to sensitive data on another web page. Without SOP, an attacker could modify the contents of a web page in the user’s browser and steal personal information.
Caballero found an SOP bypass in the Edge browser that would allow an attacker to tweet in the name of a logged user by executing malicious code with the help of a data uniform resource identifier (URI), meta refresh tags, and domainless pages such as "about:blank."
For the attack to work, the attacker would first have to trick the target victim into clicking a malicious link. In the demos presented on his website, Caballero was able to execute malicious code on the Bing home page, tweeted on behalf of another user, and stole the password and cookies from a Twitter account.
Attack Exploits Edge’s Password Autofill Feature
The stealing of the password was possible due to Edge’s built-in password manager, which autofills users’ passwords after they’ve been logged out. This makes it possible for the attacker to capture the password, once the victim has already loaded malicious code in the browser, by clicking on the attacker’s link.
According to Caballero, this vulnerability is currently still unpatched. We contacted Microsoft about it and asked whether or not it will be patched soon, and a spokesperson gave us the following reply:
Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.
Caballero added that this attack could be automated through malvertising (malicious ads) to obtain passwords from thousands of users of Facebook, Amazon, and other services, too.
“If an attacker is hosted inside a Yahoo banner and the user is logged in into her Twitter account, she will be owned with no interactions, at all,” warned Caballero.
The SOP bypass vulnerability affects only the Edge browser because SOP implementations are different for each browser. Edge was recently the most hacked browser at the Pwn2Own hacking competition, but it looks like researchers can still find major bugs in it. Microsoft recently promised some significant security improvements for Edge, but it remains to be seen how useful they'll be in practice.