A security researcher has developed a phishing technology that uses Microsoft WebView2 features to steal victim login credentials and cookies. This can bypass two-step verification.

Phishing attack detected by researcher WebView2-Cookie-Stealer It uses the standard features of the WebView2 website embedding tool and a fraudulent cookie-stealing program for the user’s browser. By entering specific JavaScript code into the login page of legitimate websites, it is as if it was a normal login process. In principle, the victim logs in as usual, but then via the attacker’s malware. This makes it possible, for example, to record a user’s key input using a keylogger program.

Once the victim logs in, whether after applying two-step verification or not, the attacker can copy the cookies stored by the installed browser. The malicious hacker can then use these authentication cookies for their own session, so that the website believes they are identifying the attacker as a legitimate user. Stolen cookies including login data, for example, can be imported into a new session via the Chrome extension EditThisCookie.

According to the security researcher, the vulnerability is based on social engineering† The victim must initially run the WebView2 executable before monitoring the attempt to log in to a legitimate website. Microsoft confirms in response to the computer asleep Therefore, users should never run or install applications if they come from an untrustworthy source.

The software giant also states that users should always run an antivirus like Microsoft Defender to prevent rogue applications from being installed. jax finished By the way, Defender did not stop the installation of the beta application for the security researcher, but only issued a warning.