The rise of two-factor authentication added a new layer of security to the authentication process on the Internet. Attacks designed to steal user credentials are still common, but many fall short because access to user accounts is not granted without the second verification step.
Users need to enter a code, use a hardware device or an application to complete the authentication request. Different forms of two-factor authentications exist. In the beginning, codes sent via email or SMS were common, but this method has the disadvantage that the information is submitted via plain text.
New authentication methods, including the use of applications and security devices, have risen to prominence to improve security. Passwordless sign-ins, those using secondary devices alone, are becoming more common as they remove the password from the authentication equation. Microsoft customers, for instance, may make their Microsoft Accounts passwordless.
Attackers devised new attacks to overcome two-factor authentications. Security researcher mr.dox developed a new attack that uses Microsoft Edge WebView2 functionality to steal account credentials, bypass two-factor authentication and exfiltrate cookies. While it is necessary that the application is executed on the victim’s system, it is giving attackers lots of flexibility and options, especially in regards to sign-ins to online services.
Designed to enrich native desktop applications, WebView2’s rich functionality makes it an attractive option for malicious developers. An attacker could load any login page, including those found on Amazon, Microsoft, Google, or Facebook, using WebView.
The WebView2 phishing attack
Since it is a legitimate site that is loaded, it is not blocked by security software or two-factor authentication protections. Users won’t see any differences between the loaded site and the site loaded in a web browser. Phishing sites may look different than the original website; this may happen during development, but also when changes are made to the legitimate site.
The GitHub project page demonstrates how a custom-built WebView2 application is used to steal all user input with the help of an injected keylogger. Since this happens in the background, most users should be unaware that every key they activate is logged and sent to the attacker.
While that may lead to successful account compromisations on its one, it does not provide access to accounts that are protected using two-factor authentication systems.
The attack does not stop at this point, however. WebView2 comes with built-in functionality to extract cookies. The attacker may steal authentication cookies, and it is simply a matter of waiting for the login to complete. Cookies are provided in base64 format, but it is trivial to decode the data to reveal the cookies.
If that was not bad enough, WebView may be used to steal all cookies from the active user. One of WebView2’s capabilities is to launch with “an existing User Data Folder” instead of creating a new one. Using this feature, attackers could steal user data from Chrome or other installed browsers.
Tested in Chrome, the developer was able to steal passwords, session data, bookmarks and other information. All it took was to start WebView2 using the profile location of Chrome to extract all Chrome cookies and transfer them to a remote server on the Internet.
Using the information, the attacker can access web applications, provided that the session is still active and that there are not any other defensive systems in place that may prevent access from new devices. Most of the extracted cookies remain valid until the session expires.
The main drawback of this WebView2-based attack is that users need to run the malicious application on the user device. Sign-in to legitimate web services is required to steal the data, but the cookie and session stealing may happen without it.
Other malicious programs may provide attackers with other means to gain access to a user device and its data. The execution of any malicious program leads to disaster from a user’s point of view, and many users are still careless when it comes to the execution of programs and the launching of attachments on their devices.
Defensive systems, such as antivirus applications, may prevent the launching of malicious Webview2 applications. The demo app, which is available on the researcher’s GitHub project site, was not blocked by Microsoft Defender. It includes a keylogger that protocols any key input by the user. A SmartScreen warning was displayed, but it was not prevented from being launched.
Protection against WebView2-based attacks
It all boils down to decade-old security practices when it comes to protection against this type of attack. Not launching applications that come from unknown sources or are not trustworthy is probably the main defensive option. Email attachments and web downloads need to be mentioned specifically here, as it is still common that computer users run these without consideration of the consequences.
Other options include scanning the file with up-to-date antivirus engines, or a service such as Virustotal. Virustotal scans files using dozens of antivirus engines and returns its findings in a matter of seconds to the user.