Thursday, October 3, 2024
HomeCVE/vulnerabilityCritical Microsoft Edge Vulnerability leads to Bypass the Password and Cookie...

Critical Microsoft Edge Vulnerability leads to Bypass the Password and Cookie Theft – Still Not Yet Patched

Published on

[jpshare]Critical Microsoft Edge Vulnerability Allows to  steal  the cookies and password revealed by Recent Research by  PoC (Proof-of-Concepts) .This Vulnerability Discovered under bypass the Same Origin Policy (SOP).

This Vulnerability Allows to Bypass the victims cookies by force  them to access the Malicious URL in Microsoft Edge browser.

This Vulnerability has  been tested in Twitter Account by twit with Malicious URL and trick the  active session twitter Account Holder to click the link .

- Advertisement - EHA

Researcher Explained with (Proof-of-Concepts),  Victims Clicks the link in Microsoft Edge browser,  its will pop-up to the another Window which contain some information which makes to victim keep busy with Reading the particular page which popped up the new Window.

According to Researcher Victim opened a new inPrivate window and loaded the URL that Attacker sent him. What he didn’t know was that browser windows, even inPrivate, can communicate with each other.

window.open(“javascript:alert(document.cookie)”, “dm-post-iframe”);
 
Once Execute the above Code finally Cookie will be Popup in Victims window.
 
 

This Security Flow attacker’s ability to logout a user, load the login page, and steal the user’s credentials that are automatically filled in by the browser’s password autofill feature.

TRY THIS DEMO

This Proof of Concepts Discover by the Edge Browser Hidden Auto fill future which leads to force the victims Logout the  session and Log in again. Researcher Said.

Attackers use malvertising:

According to  Malwarebytes ,malvertising Act Without your knowledge a tiny piece of code hidden deep in the advert is making your computer go to criminal servers.

It will deploying their bad bits inside cheap banners from popular sites. If an attacker is hosted inside a Yahoo banner and the user is logged in into her Twitter account, she will be owned with no interactions, at all.

These then catalogue details about your computer and its location, before choosing which piece of malware to send you. This doesn’t need a new browser window and you won’t know about it.

Currently Unpatched This Security Flow:

This vulnerability is  Still Not Yet patched, This Vulnerability  Versions of the proof-of-concept demos are explained in online [1, 2, 3] .

Caballero is providing the demos for download, so others can inspect the source code and make sure their passwords and cookies aren’t uploaded anywhere.

Also Researcher said ,Before running the PoC, consider that it is your account the one that will be exposed, Nothing is being sent to the network but if there’s somebody behind you, she will see your password in a regular alert dialog. Watch out!

Also Read :

WordPress vulnerable to Cross-Site Request Forgery in Connection Information – Not yet fixed with last Update

Risk with Steganography and Importance of running Steganalysis with Network Systems

Using n1n3 to Simulate an evasive “Fileless” Malware – Proof Of Concept

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

ANY.RUN Upgrades Threat Intelligence to Identify Emerging Threats

ANY.RUN announced an upgrade to its Threat Intelligence Portal, enhancing its capabilities to identify...

Cisco Nexus Vulnerability Let Hackers Execute Arbitrary Commands on Vulnerable Systems

A critical vulnerability has been discovered in Cisco's Nexus Dashboard Fabric Controller (NDFC), potentially...

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

Tor Browser 13.5.6 Released – What’s New!

The Tor Project has announced the release of Tor Browser 13.5.6, which is now...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Hackers Now Exploit Ivanti Endpoint Manager Vulnerability to Launch Cyber Attacks

The Cybersecurity and Infrastructure Security Agency (CISA) has announced the addition of a new...

CISA Warns of Four Vulnerabilities that Exploited Actively in the Wild

The Cybersecurity and Infrastructure Security Agency (CISA) has warned about four critical vulnerabilities currently...

RansomHub Ransomware Using Multiple Techniques To Disable EDR And Antivirus

The RansomHub ransomware group tracked as Water Bakunawa, employs targeted spear-phishing to exploit the...