Phishers Can Bypass Multi-Factor Authentication with Microsoft WebView2
Cybersecurity expert mr.d0x has developed a new attack technique that exploits Microsoft Edge WebView2 applications to steal authentication cookies. In theory, this allows attackers to bypass multi-factor authentication (MFA) when accessing stolen accounts.
How the WebView2-Cookie-Stealer Attack Works
The new attack, called WebView2-Cookie-Stealer, uses an executable WebView2 file that, when launched, opens a legitimate login form for a real website within the application. Microsoft Edge WebView2 enables developers to embed a browser (with full HTML, CSS, and JavaScript support) into native applications, using Microsoft Edge (Chromium) for rendering. This technology allows applications to load any website inside the app and display it as if it were opened in Microsoft Edge.
However, mr.d0x noticed that WebView2 allows developers to directly access cookies and inject JavaScript into pages loaded by the application. This makes it an excellent tool for intercepting keystrokes and stealing authentication cookies.
In mr.d0x’s proof-of-concept exploit, the executable opens a legitimate Microsoft login form using the embedded WebView2 element. The login form looks exactly like it would in a browser and doesn’t contain any suspicious signs (such as typos or strange domain names).
Stealing Cookies and Bypassing MFA
Because the WebView2 application can inject JavaScript into the page, all data entered by the user is automatically sent to the attacker’s server. Any cookies sent by the remote server after the user logs in—including authentication cookies—can be stolen.
According to the researcher, when the application is first launched, it creates a Chromium User Data folder and then uses it for each subsequent installation. The malicious application uses the built-in WebView2 interface, ICoreWebView2CookieManager, to export cookies obtained after successful authentication and send them to a server controlled by the attacker.
Once the attacker decodes the cookies (base64), they gain full access to the authentication cookies for the sites and can use them to log into the victim’s account.
Stealing Cookies from Existing Chrome Profiles
mr.d0x also notes that WebView2 applications can be used to steal cookies from an existing Chrome user profile by copying them. “WebView2 can be used to steal all available cookies of the current user. This was successfully tested in Chrome,” the expert explains. “WebView2 allows you to launch with an existing User Data Folder (UDF), rather than requiring a new one. The UDF contains all passwords, sessions, bookmarks, and so on. The UDF is located at C:\Users\[username]\AppData\Local\Google\Chrome\User Data.”
As a result, an attacker can use these cookies by simply going to the login form for the hijacked account and importing the cookies using any suitable Chrome extension, such as EditThisCookie. After importing the cookies, the attacker just needs to refresh the page to authenticate on the site.
Even worse, this attack allows bypassing multi-factor authentication, since the cookies are stolen after the user has logged in and successfully completed MFA.
“Suppose an attacker sets up Github.com/login in their WebView2 application, and the user logs in. The cookies can then be extracted and sent to the attacker’s server. Even using a Yubikey won’t save you, because you’re authenticating on the REAL site, not a phishing one,” mr.d0x explains.
Microsoft’s Response and Recommendations
Microsoft developers note that such an attack requires preparation and social engineering, as the attacker must first convince the user to download and run a malicious executable file. The company always recommends that users avoid running and installing applications from unknown or untrusted sources, and to keep Microsoft Defender or other security software up to date.