Security researcher mr.dox has developed a new attack method using Microsoft Edge WebView2 to steal credentials, bypass two-factor authentication and access cookies. This method is called WebView2-Cookie-Stealer, which allows attackers to gain wide opportunities for authorization in online services.

With WebView2, developers can embed web content into Windows programs, and Microsoft Edge uses that content to display that content. WebView2’s rich functionality makes it attractive to attackers who can download any authorization page for popular services. One of the main features of this item is the ability to use JavaScript. It was used by Bay.dox to apply malicious code to pages loaded by a program that uses WebView2.

To demonstrate the new attack, the researcher created a program that uploads the authorization form to the Microsoft site with a built-in JavaScript keylogger. Because the real site is loaded, it is not blocked by antivirus or two-factor authentication. Users will not see any difference between the authorization form of the program and the web page loaded in the browser. Thus, all data entered by the user is automatically sent to the attacker’s server.

The attack itself does not provide access to accounts protected by two-factor authentication. However, you can steal any cookies, including those for authentication. They are extracted in encrypted form (base64 format), but the data is easy to decode. WebView2 can be used to steal all cookies of an active user. Using this feature, an attacker can steal data from Chrome or other browsers: passwords, bookmarks, history and other information.

The main disadvantage of this attack is the need to run a malicious application on the user’s device. Access to data requires authorization in the services, but cookie theft can happen without it. Although Microsoft Defender did not block the keylogger program created by mr.dox, antivirus software can prevent Webview2 from running malware.