Beat 2FA authentication with WebView2

Microsoft, of all people, enables phishers to trick secure two-factor authentication (2FA) using the WebView2 module.

Anonymous security researcher mr.d0x explains how in his recently published article you can use the WebView2 element to trick two-factor authentication (2FA). For more convenience, the websites store the cookies in the browser after a successful 2FA login. The WebView2 bug allows third parties to access these cookies to gain full account access themselves. The application is in the Microsoft Edge browser.

In this case, of course, the 2FA check using an app or short message would be omitted. Some but not all providers also check the browser used. If this deviates from the previously used browsers, you must also confirm your identity with the link in an e-mail sent for this purpose. Then the phishers would have more problems taking over the accounts.

What is WebView2?

According to the manufacturer, the Microsoft Edge WebView2 control enables the Embedding web technologies (HTML, CSS and JavaScript) into native applications. Essentially, developers can use WebView2 technology to create an executable that can communicate with other web applications in a manner similar to a browser. This is intended to improve desktop applications and provide additional functions for interacting with web applications. That’s the theory. In practice, the world looks a bit different at the moment.

The main advantage of using WebView2 for attackers is the rich functionality. The module allows the phishers to take over the login data and sessions in the form of complete cookies. With the help of a built-in WebView2 function, JavaScript can be easily inserted into any website. This means cyber criminals can inject a keylogger or other malicious JavaScript there.

Screenshot: The keylogger successfully transfers what you type on the keyboard.

It’s not that easy after all

Then it’s quite simple for the hackers to log keystrokes and the cookies instead of the user sent to servers on the Internet. The side then thinks the user on the other end is already authenticated. Microsoft has already reacted to the WebView2 bug. This is a social engineering attack and therefore not so wild because the user has to run a malicious file beforehand. That’s true. But this is certainly not an insurmountable obstacle for cybercriminals.

How to protect yourself from the WebView2 bug?

  • That sounds trivial but it’s true: Please don’t use Windows! The vulnerability simply doesn’t exist anywhere else!
  • never open any executable files that you have received via messenger, e-mail etc.
  • Be careful when starting other media. Don’t forget: PDF documents, videos etc. can sometimes contain malware
  • never open links that are unknown to you. Especially not if you don’t know the sender!
  • Windows users please keep antivirus software up to date
  • download new programs only from trusted sources
  • Conclusion

    The disadvantage for phishers is that the victim must have executed a malicious file as a prerequisite. Fortunately, it is not that easy to outwit the 2FA method.

    Cyber ​​criminals can, by the way, extend the functionality of the existing WebView2 application. This would, for example, even enable remote access to third-party computers. In the method presented by mr.d0x, the binary uses only the legitimate functions provided by Microsoft. This probably makes it harder to be detected as an intruder by antivirus programs.

    If you are interested in further details: You can read the full step-by-step instructions from the security researcher here. An introduction to the Microsoft Edge WebView2 software is available there.

    Lars Sobiraj started in 1010 as a career changer for various computer magazines to be. 2000 numerous other online magazines were added in addition to He is the founder of In addition, Ghandy, as he calls himself in the scene, since 2014 at various universities and training institutions attendees on how the Internet works.

8852492530 2054

Related Articles

Back to top button