Vulnerability Management, Vulnerability Management, Application security

Microsoft WebView2 apps used in novel phishing technique

Threat actors could leverage a new phishing technique involving Microsoft Edge WebView2 applications in an effort to exfiltrate authentication cookies without being averted by multi-factor authentication, according to BleepingComputer. Developed by cybersecurity researcher mr.d0x, the new WebView2-Cookie-Stealer attack includes a WebView2 executable that prompts a legitimate site's login form, which is free from suspicious elements. WebView2 applications could be used to create a Chromium User Data folder and export the stolen cookies using the WebView2 'ICoreWebView2CookieManager' interface. Site authentication cookies could be completely accessed upon decoding of base64-encoded cookies, said the report. "WebView2 can be used to steal all available cookies for the current user. This was successfully tested on Chrome. WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks etc. Chromes UDF is located at C:UsersAppDataLocalGoogleChromeUser Data. We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker's server," mr.d0x said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.