Microsoft Edge Flaw Allows Password Theft, Tweeting On Others’ Behalf

Caballero showing how to steal the password in Edge

Manuel Caballero, a security researcher that lately seems to have been focusing on finding flaws in Microsoft’s Edge browser, uncovered a new bug that would allow an attacker to steal users’ passwords from popular web services.

Bypassing Same Origin Policy

A same origin policy (SOP) is an important security concept for web applications that prevents malicious code on one web page from gaining access to sensitive data on another web page. Without SOP, an attacker could modify the contents of a web page in the user’s browser and steal personal information.

Caballero found an SOP bypass in the Edge browser that would allow an attacker to tweet in the name of a logged user by executing malicious code with the help of a data uniform resource identifier (URI), meta refresh tags, and domainless pages such as "about:blank."

For the attack to work, the attacker would first have to trick the target victim into clicking a malicious link. In the demos presented on his website, Caballero was able to execute malicious code on the Bing home page, tweeted on behalf of another user, and stole the password and cookies from a Twitter account.  

Attack Exploits Edge’s Password Autofill Feature

The stealing of the password was possible due to Edge’s built-in password manager, which autofills users’ passwords after they’ve been logged out. This makes it possible for the attacker to capture the password, once the victim has already loaded malicious code in the browser, by clicking on the attacker’s link.

According to Caballero, this vulnerability is currently still unpatched. We contacted Microsoft about it and asked whether or not it will be patched soon, and a spokesperson gave us the following reply:

Windows has a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. Our standard policy is to provide solutions via our current Update Tuesday schedule.

Caballero added that this attack could be automated through malvertising (malicious ads) to obtain passwords from thousands of users of Facebook, Amazon, and other services, too.

“If an attacker is hosted inside a Yahoo banner and the user is logged in into her Twitter account, she will be owned with no interactions, at all,” warned Caballero.

The SOP bypass vulnerability affects only the Edge browser because SOP implementations are different for each browser. Edge was recently the most hacked browser at the Pwn2Own hacking competition, but it looks like researchers can still find major bugs in it. Microsoft recently promised some significant security improvements for Edge, but it remains to be seen how useful they'll be in practice.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • Dark Lord of Tech
    Who uses EDGE?
  • JamesSneed
    19606578 said:
    Who uses EDGE?

    I was thinking the same thing while reading. I just checked on net market share and edge has about 5% usage.
  • dstarr3
    "Tweeting Like Charles Darwin" sounds like a strange pop song.
  • drwho1
    I don't use "edge" and hate that we can't truly get rid of it. If we do it gets installed back on the next upgrade. It's annoying.
  • cats_Paw
    What is Edge?
  • The Paladin
    Edge Razor of course.
  • hdmark
    Why does microsoft keep trying to push edge so hard? the only thing edge is good for is installing another browser..
  • 19606578 said:
    Who uses EDGE?
    Apparently, 606 mobile network operators in about 213 countries.

    ... and everybody whose phone says "E" instead of "3G" or "4G", though probably not out of their own free will.
  • dstarr3
    I have to use Internet Explorer at work. Those with Windows 10 machines have to use Edge. It's the only browser my company supports, so we don't really have a choice. If we want to get work done and minimize risk of failure on tasks, we have to use IE/Edge. I'm sure my company is far from the only one. It's like the Office suite. Yeah, there are free and open-source alternatives, but if you want to get work done without the risk of compatibility problems, you just use Office.

    That said, I also have Chrome installed for my own personal browsing at work, because IE/Edge are miserable. But, if it's work, I gotta use IE/Edge.
  • SinxarKnights
    IDK everybody hates on Edge but I gave it a fair shot and it isn't bad. Just doesn't do what I want it to do.

    My question is, why isn't Chrome vulnerable to this? It autofills usernames/passwords as well, sometimes in the wrong area.