Threat actors could leverage a new phishing technique involving Microsoft Edge WebView2 applications in an effort to exfiltrate authentication cookies without being averted by multi-factor authentication, according to BleepingComputer.
Developed by cybersecurity researcher mr.d0x, the new WebView2-Cookie-Stealer attack includes a WebView2 executable that prompts a legitimate site's login form, which is free from suspicious elements. WebView2 applications could be used to create a Chromium User Data folder and export the stolen cookies using the WebView2 'ICoreWebView2CookieManager' interface. Site authentication cookies could be completely accessed upon decoding of base64-encoded cookies, said the report.
"WebView2 can be used to steal all available cookies for the current user. This was successfully tested on Chrome. WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks etc. Chromes UDF is located at C:Users\AppDataLocalGoogleChromeUser Data. We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker's server," mr.d0x said.