Microsoft Edge Vulnerability Could Allow Password Theft

A vulnerability in the Microsoft Edge browser can be exploited and used to load and execute malicious code and obtain a target’s password and account session cookies. This vulnerability allows attackers to bypass the browser’s Same Origin Policy security feature designed to prevent one website from loading and executing scripts loaded from another website. In his proof-of-concept demonstrations, security researcher Manuel Caballero demonstrates how the vulnerability can be used to execute code on the Bing homepage, tweet on behalf of another user, and steal password and cookie files from a Twitter account. Caballero also claims the attack can be customized to dump the passwords or cookies of other online services. This flaw could be leveraged by malvertising campaigns to automate the delivery of the exploit. Caballero has disclosed a technical write-up and recorded a video of the attack. The vulnerability is currently unpatched. The NJCCIC recommends all Microsoft Edge users avoid clicking links from unknown and untrusted sources, use ad-blocking browser extensions, and update the browser when a patch becomes available.