Microsoft Edge vulnerability could let people hijack your Twitter (or any other) account

[Nowak]

Sauce: http://www.laptopmag.com/articles/microsoft-edge-autofill-attack

 

Do you trust Microsoft Edge? Well... don't. Better yet, don't use Edge, except to download another browser.

 

Quote

Charles Darwin was many things — a naturalist, a family man, an orator — but he'd never been the victim of a computer hacker until now. A new and potentially very nasty vulnerability in Microsoft Edge could let an attacker tweet on your behalf or steal your credentials for any account that Edge autofills, and the security researcher who discovered the flaw used a Darwin Twitter account to demonstrate such an attack.

A security researcher recently discovered a flaw in Microsoft's flagship Edge browser that can allow an attacker to very easily obtain your user credentials for any site, and as a consequence, hijack the compromised account. This can, of course, be a very serious security vulnerability when it comes to your safety online.

 

Quote

This research on the Edge flaw comes by way of independent Argentine security researcher Manuel Caballero. His blog post is not for the faint of heart, unless you’re prepared to read a few thousand words about iframes, SOP bypasses, and about:blanks; a writeup at Bleeping Computer translates it into reasonably plain language. 

Still, the bottom line is this: A remote attacker could execute malicious code in the Microsoft Edge browser in order to steal account login information, and at present, there’s no patch for it.

The original post by Manuel Caballero goes into a lot of technical details, but it can be summarized as what the article says: a remote attacker could potentially execute malicious code in Edge and steal login information. This vulnerability also exists in all versions of Windows 10, and hasn't been patched.

 

How do you avoid this vulnerability, then? It's simple: you use a different browser.

Quote

o cut to the chase, the only way to prevent this attack from happening is to use another web browser, such Mozilla Firefox or Google Chrome, until Microsoft updates Edge.

 

Although, Caballero did not treat the flaw as an indictment of Edge overall.

Quote

For what it’s worth, Caballero did not treat the flaw as an indictment of Edge overall; his blog post pointed out multiple times just how many obstacles the Edge browser throws in a potential hacker’s way.

 

For those of you curious and want to see it in action, he has provided videos of the vulnerability in action.

 

I don't think I need to commentate on the video, but if you can't watch a video at the moment or also need an explanation, here's what the article says:

 

Quote

Darwin clicked on the link — just as any ordinary Twitter user might — and found that the page on the other end included an embedded program to tweet on his behalf. The applet could even sign Darwin in and out of Twitter, and deliver his password “in a silver platter,” according to Caballero.

 

How this works is an extremely complicated process, but in a nutshell, Caballero used inline frames (iFrames), which consist of HTML from one website embedded into another.

 

By tricking Darwin into clicking on a link that collected his cookies, the attacker (Wallace) could collect usernames and passwords from Microsoft Edge’s autofill records. In this case, Wallace obtained Darwin’s Twitter password, but this hack could theoretically work on any account for which the user lets Microsoft Edge store credentials -- Facebook, LinkedIn, Amazon, online bank accounts, and so on. 

 

Oh yeah, this attack was published and is widely available. For demonstrative purposes, of course. Even then, it's not recommended you use your browser's built-in password manager.

Quote

Caballero has made the code for the attack widely available, if only so that people can see how it works for themselves. It’s still a pretty complicated process, so it’s anyone’s guess as to whether malicious hackers will actually use it, but it’s not impossible. The good news is that the hack doesn’t work on non-Edge browsers, since each browser’s process for storing and autofilling accounts is fairly different. (We recommend NOT letting any browser store credentials for social networking, email, shopping or banking accounts.)

 

Oh, and the user doesn't need to click on any malicious links to be affected by this vulnerability.

Quote

Don’t think that being judicious about clicking on links will help, either; Caballero pointed out that malvertising could just as easily inject malicious JavaScript code into an Edge browser and produce the same effect.

 

I don't really have much to add that the article doesn't already say, but I will repeat Laptop Magazine's urges to not use Edge until Microsoft issues a patch. If you care about your online safety, switching away from Edge, even if just for a bit, is a necessity right now.

[BobyTheDragon]

... and that kids is why I use chrome

[AlTech]

If people followed procedure for submitting bugs to Microsoft then we wouldn't need this to brought up whilst it is not fixed yet.

 

I can imagine that the next Security Update will include this, which is unfortunate considering that the latest security update just landed.

[AlTech]

4 minutes ago, Marshall212 said:

... and that kids is why I use chrome

Oh pls. Don't get me started on chrome. It's a got a myriad of issues none of which relate to Security but still are annoying to deal with.

[BobyTheDragon]

Just now, AluminiumTech said:

Oh pls. Don't get me started on chrome. It's a got a myriad of issues none of which relate to Security but still are annoying to deal with.

well I mean i do use firefox on my other pc as well

[Nowak]

1 minute ago, AluminiumTech said:

Oh pls. Don't get me started on chrome. It's a got a myriad of issues none of which relate to Security but still are annoying to deal with.

But how about alternative browsers, like Vivaldi?

[Nowak]

29 minutes ago, AluminiumTech said:

If people followed procedure for submitting bugs to Microsoft then we wouldn't need this to brought up whilst it is not fixed yet.

Seems like it was reported to Microsoft.

 

 

This goes for everyone here, remember to not use Edge until a patch is issued, because this can be used against potentially any website. That's the scary part to me.

[LAwLz]

1 hour ago, Daring said:

This goes for everyone here, remember to not use Edge until a patch is issued, because this can be used against potentially any website. That's the scary part to me.

Well, if you ask me you should not use Edge even if this issue gets fixed.

But this only affects people who use the built in password manager. If you do not use it, then you can safely keep using Edge. Like the article says, it is not recommended to use the builtin password manager in any browser.

 

The one in Firefox for example saves your passwords in clear text by default. You need to manually enable a master password for it to be encrypted. That's a less serious issue than this attack since it can be done remotely, but it's just another reason why you should use a proper password manager such as Keepass instead.

[WereCat]

2 hours ago, Daring said:

But how about alternative browsers, like Vivaldi?

Yes, Vivaldi is awesome.

Last time I used Edge was when W10 released, haven't tried it since. May give it a shot again but I already know that I won't like it anyway.

[AlTech]

4 hours ago, Daring said:

But how about alternative browsers, like Vivaldi?

I dislike Vivaldi as well.

 

Firefox is semi ok but it's got it's own issues.

 

1 hour ago, WereCat said:

Yes, Vivaldi is awesome.

Last time I used Edge was when W10 released, haven't tried it since. May give it a shot again but I already know that I won't like it anyway.

I use Edge on a daily basis.

 

How come so many don't like Edge?

[suicidalfranco]

and that kids is why i use Vivaldi

[SCHISCHKA]

im pretty sure the noscript plugin will protect against this. I don't know if it is on edge. Since when did people start using a Microsoft browser? For some reason I'm thinking of the man at the end of the planet of the apes film

 

[SCHISCHKA]

58 minutes ago, AluminiumTech said:

How come so many don't like Edge?

OS and web browser bundling just has a bad history going back to maybe ie4. I remember filling all windows explorer windows with beavis and butthead gifs on every computer I touched. I don't care how much they improve it, I won't use a MS web browser

[captain_to_fire]

 

5 hours ago, AluminiumTech said:

If people followed procedure for submitting bugs to Microsoft then we wouldn't need this to brought up whilst it is not fixed yet.

 

I can imagine that the next Security Update will include this, which is unfortunate considering that the latest security update just landed.

How it should be the lay people who should submit security bugs and zero day exploits and vulnerabilities to Microsoft? Remember, this is the same browser who failed in the Pwn2Own hacking contest in Vancouver this last March. Do they not do enough penetration testing?

 

1 hour ago, AluminiumTech said:

How come so many don't like Edge?

Because 6/10 times, it will display an empty web page despite refreshing. This makes me think that the open source WebKit is better than Microsoft's proprietary EdgeHTML. 

6 hours ago, Daring said:

If you care about your online safety, switching away from Edge, even if just for a bit, is a necessity right now.

Also for the people who do online banking with Microsoft Edge, stay away from it. 

[WereCat]

1 hour ago, AluminiumTech said:

 

 

I use Edge on a daily basis.

 

How come so many don't like Edge?

I used Edge on my Lumia when I had it.

 

On PC it displayed many pages incorrectly or caused other issues... that was back then when I tried it, maybe it works better know, idk.

[Dabombinable]

2 minutes ago, WereCat said:

I used Edge on my Lumia when I had it.

 

On PC it displayed many pages incorrectly or caused other issues... that was back then when I tried it, maybe it works better know, idk.

It still does-its not much better than IE8 in that regard.

[AlTech]

4 minutes ago, WereCat said:

I used Edge on my Lumia when I had it.

 

On PC it displayed many pages incorrectly or caused other issues... that was back then when I tried it, maybe it works better know, idk.

It works a lot better now.

 

9 minutes ago, hey_yo_ said:

snip

So, I should use FireFox until this issue is fixed?

[WereCat]

1 minute ago, AluminiumTech said:

It works a lot better now.

Well, I may give it a shot but I won't trade it for Vivaldi. Tab Grouping is too much convenient and there is many more other features I would miss.

[captain_to_fire]

5 minutes ago, AluminiumTech said:

So, I should use FireFox until this issue is fixed?

You should or some other third party browsers until Microsoft patches the vulnerability. 

[suicidalfranco]

39 minutes ago, hey_yo_ said:

 

How it should be the lay people who should submit security bugs and zero day exploits and vulnerabilities to Microsoft? Remember, this is the same browser who failed in the Pwn2Own hacking contest in Vancouver this last March. Do they not do enough penetration testing?

 

Because 6/10 times, it will display an empty web page despite refreshing. This makes me think that the open source WebKit is better than Microsoft's proprietary EdgeHTML. 

Also for the people who do online banking with Microsoft Edge, stay away from it. 

Until you find that one bank that developed their web site with IE in mind

[dmegatool]

24 minutes ago, huilun02 said:

A power user browser that can use Chrome extensions without Google's backend junk

Vivaldi

A power user browser that still haven't implemented sync 2+ years later even if it's the most requested feature. Like I'm gonna manually sync my bookmark, history and extension between 3 computers and my phone xD. Not gonna happen. Still waiting before giving Vivaldi a full tryout as my main.  

 

They should just use a 3rd party infrastructure for now and implement their own thing later. Like sync to your own Google Drive, Dropbox or whatever. Not the best but enough to attract people and gain market share. 

[captain_to_fire]

10 minutes ago, suicidalfranco said:

Until you find that one bank that developed their web site using IE

When I registered for my Social Security few years ago, it asked me to use Internet Explorer. ?

 

I don't think the three banks I transact with required me to use IE at all. 

[Princess Luna]

2 hours ago, AluminiumTech said:

How come so many don't like Edge?

I actually like Edge, it's my secondary browser of choice, Also for instance when my mom needs to use my PC for whatever reason to browser the web I have her use Edge because my Firefox is soooo damn edited/customized, tampermonkey scripts, addons, universal night theme and so on that she'd get lost trying to use it

[Princess Luna]

8 minutes ago, hey_yo_ said:

I don't think the three banks I transact with required me to use IE at all. 

You'd be surprised, public banks here in Brazil all demand you to use IE since their "security plugin" only works on it.

[AlTech]

38 minutes ago, hey_yo_ said:

You should or some other third party browsers until Microsoft patches the vulnerability. 

Does this also affect IE11?

 

A relative I know uses IE11 very extensively. Even after I tried to move her to Edge.