Blog

A security researcher recently developed a new phishing technique using the Microsoft WebView app. This new technique has the potential to bypass MFA and steal login cookies and poses severe risks to the enterprise and individual users.

New phishing attack in Microsoft WebView to bypass MFA

Security researchers found a way for Microsoft Edge's WebView2 app to steal the target user's authentication cookies, enabling the attacker to bypass multi-factor authentication (MFA) to log into stolen accounts. 

Amid database breaches, malware-based credential leakage, and phishing campaigns, stolen user credentials have become abundant online. Enterprise and individual users have started leveraging multi-factor authentication (MFA) to add a layer of security to the authentication process. However, with the advent of this technique, attackers can target one-time MFAs codes and security numbers. 

Ethical Hacker, Mr.D0x is behind the release of this Microsoft WebView vulnerability. He also developed the Browser-in-the-Browser (BitB) attack method earlier this year.

How does a Microsoft WebView2 attack bypass MFA?

As explained in the proof of concept by Mr. D0x, "WebView2-Cookie-Stealer" injects malicious JavaScript code within the websites loaded in the app using the Microsoft WebView 2. As a demonstration, Mr. D0x injected a JavaScript keylogger within the legitimate Microsoft login form. This login form gets loaded with the help of Microsoft WebView2. 

Users will see the webpage rendering as usual. But a malicious JavaScript code is running in the background that grabs anything the user enters/types in those fields. It then sends the data to the specified web server.

Microsoft WebView2 allows attackers to implant a web browser to leverage the full support for HTML, JavaScript, and CSS in the native apps using Microsoft Edge (which uses Chromium as the browser rendering engine). Through this strategy, applications can load any website within a native app – it will appear as if it got opened in Microsoft Edge. 

Taking advantage of how WebView2 blends in JavaScript code, attackers can steal authentication cookies sent by the app's remote server, including authentication codes, as the user logs in.

The researcher stated, "WebView2 also provides built-in functionality to extract cookies. It allows an attacker to extract cookies after the user authenticates into a legitimate website. This technique removes the need to spin up Evilginx2 or Modlishka, but the obvious trade-off is that the user must execute the binary and authenticate."

This cookie-stealing method can also import and extract cookies using a simple Chrome extension called the "EditThisCookie." The attack can also use the built-in WebView2 "ICoreWebView2CookieManager" interface to export the website's successfully authenticated cookies. However, the more concerning and alarming aspect is that this attack method can bypass multi-factor authentication (MFA) completely and takeover one-time passwords and security keys as it compromises the cookies after the user logs in. 

The security awareness promoter at security awareness training company KnowBe4 Inc., Erich Kron, stated, "Other precautions must be taken to secure accounts and protect organizations against attack." He further explained that it might lead a victim to a dangerous activity and requires a single program (downloaded from the internet) to start the attack.

Prevention

To avoid such threats, enterprises should stop using Microsoft Edge and apps leveraging Microsoft WebView2. Again, since one-time passcodes and security keys are no longer fit for MFA and additional security, users should use biometric authentication as 2FA. 

Lastly, enterprises should leverage modern authentication measures like risk-based authentication (RBA) or adaptive authentication techniques that will not allow anyone else to enter the system from an unknown location.

Final thoughts

Phishing attacks and their variants are gaining prominence. Microsoft's WebView is susceptible to phishing, enabling attackers to bypass MFA as the presence of malicious JavaScript code works as a keylogger and cookie stealer. Security researchers have warned that MFA is no longer a silver bullet to safeguard against phishing attacks.

As a prevention measure, enterprises should stop using apps that utilize Microsoft WebView2 and opt for biometric authentication methods as an additional security layer. Also, they should consider leveraging modern authentication measures like risk-based authentication or adaptive authentication to further tighten their security posture.