fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Clever Phishing Method Bypasses MFA using Microsoft WebView2 Apps

Clever Phishing Method Bypasses MFA using Microsoft WebView2 Apps

A clever, new phishing technique uses Microsoft Edge WebView2 applications to steal victim’s authentication cookies, allowing threat actors to bypass multi-factor authentication when logging into stolen accounts.

With the large number of data breaches, remote access trojan attacks, and phishing campaigns, stolen login credentials have become abundant.

However, the increasing adoption of multi-factor authentication (MFA) has made it difficult to use these stolen credentials unless the threat actor also has access to the target’s one-time MFA passcodes or security keys.

This has led to threat actors and researchers coming up with new ways of bypassing MFA, including zero-day website vulnerabilitiesreverse proxies, and clever techniques, such as the Browser in the Browser attack and utilizing VNC to display remote browsers locally.

This week, cybersecurity researcher mr.d0x has created a new phishing method that uses Microsoft Edge WebView2 applications to easily steal a user’s authentication cookies and log into stolen accounts, even if they are secured with MFA.

Also Read: 12 Damaging Consequences of Data Breach

Microsoft Edge WebView2 to the rescue

This new social engineering attack is called WebView2-Cookie-Stealer and consists of a WebView2 executable that, when launched, opens up a legitimate website’s login form inside the application.

Microsoft Edge WebView2 allows you to embed a web browser, with full support for HTML, CSS, and JavaScript, directly in your native apps using Microsoft Edge (Chromium) as the rendering engine.

Using this technology, apps can load any website into a native application and have it appear as it would if you opened it in Microsoft Edge.

However, WebView2 also allows a developer to directly access cookies and inject JavaScript into the webpage that is loaded by an application, making it an excellent tool to log keystrokes and steal authentication cookies and then send them to a remote server.

In the new attack by mr.d0x, the proof-of-concept executable will open the legitimate Microsoft login form using the embedded WebView2 control.

As you can see below, the login form renders exactly as it would when using a regular browser and does not contain any suspicious elements like typos, strange domain names, etc. 

WebView2 phishing attack opening the Microsoft login form
WebView2 phishing attack opening the Microsoft login form
Source: BleepingComputer

As a WebView2 application can inject JavaScript into the page, anything the user types is automatically sent back to the attacker’s web server.

Also Read: Top 10 Main Reasons for Outsource Website Development

However, the true power of this type of application is the ability to steal any cookies sent by the remote server after a user logs in, including authentication cookies.

To do this, mr.d0x told BleepingComputer that the application creates a Chromium User Data folder the first time it runs and then uses that folder for each subsequent install.

The malicious application then uses the built-in WebView2 ‘ICoreWebView2CookieManager‘ interface to export the site’s cookies on successful authentication and sends them back to the attacker-controlled server, as shown below.

The malicious WebView2 app sending back the stolen cookies
The malicious WebView2 app sending back the stolen cookies
Source: BleepingComputer

Once the attacker decodes the base64-encoded cookies, they will have full access to the authentication cookies for the site and can use them to log in to a user’s account.

Decoded cookies stolen by the WebView2 application
Decoded cookies stolen by the WebView2 application
Source: BleepingComputer

The researcher also found that it was possible to use the WebView2 app to steal cookies for an existing Chrome user profile by copying their existing Chromium profile.

“WebView2 can be used to steal all available cookies for the current user. This was successfully tested on Chrome,” explains a report on this technique by mr.d0x.

“WebView2 allows you to launch with an existing User Data Folder (UDF) rather than creating a new one. The UDF contains all passwords, sessions, bookmarks etc. Chrome’s UDF is located at C:\Users\\AppData\Local\Google\Chrome\User Data.”

“We can simply tell WebView2 to start the instance using this profile and upon launch extract all cookies and transfer them to the attacker’s server.”

When asked how an attacker could use these cookies, mr.d0x told BleepingComputer that they could go to the login form for an account they stole and import the cookies using a Chrome extension like ‘EditThisCookie.’ Once the cookies are imported, they simply refresh the page to automatically be authenticated on the site.

What is more concerning, though, is that this attack also bypasses MFA secured by OTPs or security keys, as the cookies are stolen after the user logged in and successfully solved their multi-factor authentication challenge.

“So lets say the attacker sets up Github.com/login in their webview2 app, and the user logs in, then cookies can be extracted and exfil’d to the attacker’s server.”

“Yubikeys can’t save you because you’re authenticating to the REAL website not a phishing website.”

mr.d0x

Furthermore, these cookies will be valid until the session expires or there is some other post-authentication check that detects unusual behavior.

“So unless they have some additional checks POST-AUTHENTICATION then that won’t be detected, and of course this is not so easy to implement,” mr.d0x told BleepingComputer.

Attack requires social engineering

However, as mr.d0x admits and Microsoft pointed out in their response to our questions, this attack is a social engineering attack and requires a user to run a malicious executable.

“This social engineering technique requires an attacker to convince a user to download and run a malicious application,” Microsoft told BleepingComputer in a statement regarding this new technique.

“We recommend users practice safe computing habits, avoid running or installing applications from unknown or untrusted sources, and keep Microsoft Defender (or other anti-malware software) running and up-to-date.”

Therefore, getting someone to run an application in the first place may take additional work.

With that said, history has shown us that many people “just run things” without thinking about the ramifications, whether that be email attachments, random downloads off the Internet, cracks and warez, and game cheats.

All of these methods are proven to work with fairly little effort, leading to the installation of ransomware, remote access trojans, password stealing trojans, and more.

Therefore, the researcher’s WebView2 attack is feasible, especially if created to look like a legitimate application installer that requires you to log in first. For example, a fake Microsoft Office installer, game, or Zoom client.

While this attack has not been seen used in real-world attacks, the researcher’s techniques have been quickly used in attacks in the past, so this is something that security admins and professionals need to keep an eye on.

As for how to protect yourself from these attacks, all the regular cybersecurity advice remains the same.

Do not open unknown attachments, especially if they are executables, scan files you download from the Internet and do not enter your credentials into an application unless you are 100% sure the program is legitimate.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us