Researcher can bypass two-step verification via WebView2 to steal cookies

A security researcher has developed a phishing technique that uses Microsoft WebView2 features to steal a victim’s login credentials and cookies. This can potentially bypass two-step verification.

The phishing attack is detected by the researcher WebView2-Cookie-Stealer and uses standard features of website embed tool WebView2 and a rogue program to steal a user’s browser cookies. Injecting specific JavaScript code into the login page of otherwise legitimate websites makes it appear as if it were a normal login process. In principle, the victim logs in as normal, but then via the malicious program of the attacker. This makes it possible, for example, to register the user’s key input with a keylogger.

Once the victim has logged in, with or without the application of two-step verification, the attacker can copy cookies stored by the browser. A malicious hacker can then use these authentication cookies for their own session, so that the website thinks it recognizes the attacker as a legitimate user. Stolen cookies including login details can be imported into a new session via the Chrome extension EditThisCookie, for example.

According to the security researcher, the vulnerability is based on social engineering; the victim must initially run the WebView2 executable before a login attempt at a legitimate website can be monitored. Microsoft emphasizes in a response to Bleeping Computer therefore, users should never launch or install applications if they come from an untrustworthy source.

The software giant also states that users should always have antivirus software such as Microsoft Defender on to prevent installation of rogue applications. Ghacks concluded incidentally, Defender did not stop the installation of the security researcher’s demo application, but only issued a warning.

The security researcher disguised his rogue application as an Office app, after which users officially log in to Microsoft via a WebView2 embed