The rise of two-factor authentication added a new layer of security to the authentication process on the Internet. Attacks designed to steal user credentials are still common, but many fall short because access to user accounts is not granted without the second verification step.

fake microsoft office sig in webview2 keylogger

Users need to enter a code, use a hardware device or an application to complete the authentication request. Different forms of two-factor authentications exist. In the beginning, codes sent via email or SMS were common, but this method has the disadvantage that the information is submitted via plain text.

New authentication methods, including the use of applications and security devices, have risen to prominence to improve security. Passwordless sign-ins, those using secondary devices alone, are becoming more common as they remove the password from the authentication equation. Microsoft customers, for instance, may make their Microsoft Accounts passwordless.

Attackers devised new attacks to overcome two-factor authentications. Security researcher mr.dox developed a new attack that uses Microsoft Edge WebView2 functionality to steal account credentials, bypass two-factor authentication and exfiltrate cookies. While it is necessary that the application is executed on the victim’s system, it is giving attackers lots of flexibility and options, especially in regards to sign-ins to online services.

To better understand the attack, it is necessary to take a closer look at Microsoft Edge WebView2. At its core, WebView2 enables developers to embed web content into their Windows desktop applications. Microsoft Edge is used to render the web content in the native applications. Developers may embed HTML, CSS and JavaScript code in the custom-built application. It is possible to load sites using WebView, similarly to how web browsers communicate with websites.

Designed to enrich native desktop applications, WebView2’s rich functionality makes it an attractive option for malicious developers. An attacker could load any login page, including those found on Amazon, Microsoft, Google, or Facebook, using WebView.

The WebView2 phishing attack

One of the main features of WebView2 is the ability to use JavaScript. A built-in function enables web developers to inject JavaScript into websites. It is this function that mr.dox used to inject malicious JavaScript code into legitimate websites loaded in an application that uses WebView2.

To demonstrate this, mr.dox created a demo WebView2 application that loads the Microsoft Office website and has a JavaScript keylogger embedded in its code.

Since it is a legitimate site that is loaded, it is not blocked by security software or two-factor authentication protections. Users won’t see any differences between the loaded site and the site loaded in a web browser. Phishing sites may look different than the original website; this may happen during development, but also when changes are made to the legitimate site.

The GitHub project page demonstrates how a custom-built WebView2 application is used to steal all user input with the help of an injected keylogger. Since this happens in the background, most users should be unaware that every key they activate is logged and sent to the attacker.

While that may lead to successful account compromisations on its one, it does not provide access to accounts that are protected using two-factor authentication systems.

The attack does not stop at this point, however. WebView2 comes with built-in functionality to extract cookies. The attacker may steal authentication cookies, and it is simply a matter of waiting for the login to complete. Cookies are provided in base64 format, but it is trivial to decode the data to reveal the cookies.

If that was not bad enough, WebView may be used to steal all cookies from the active user. One of WebView2’s capabilities is to launch with “an existing User Data Folder” instead of creating a new one. Using this feature, attackers could steal user data from Chrome or other installed browsers.

Tested in Chrome, the developer was able to steal passwords, session data, bookmarks and other information. All it took was to start WebView2 using the profile location of Chrome to extract all Chrome cookies and transfer them to a remote server on the Internet.

Using the information, the attacker can access web applications, provided that the session is still active and that there are not any other defensive systems in place that may prevent access from new devices. Most of the extracted cookies remain valid until the session expires.

The caveat

The main drawback of this WebView2-based attack is that users need to run the malicious application on the user device. Sign-in to legitimate web services is required to steal the data, but the cookie and session stealing may happen without it.

Other malicious programs may provide attackers with other means to gain access to a user device and its data. The execution of any malicious program leads to disaster from a user’s point of view, and many users are still careless when it comes to the execution of programs and the launching of attachments on their devices.

Why go through the length of using the WebView2 attack, when other attacks may be easier to carry out? Mr.dox suggests that the WebView2 attack may provide attackers with additional options, such as running JavaScript code on target sites directly.

Defensive systems, such as antivirus applications, may prevent the launching of malicious Webview2 applications. The demo app, which is available on the researcher’s GitHub project site, was not blocked by Microsoft Defender. It includes a keylogger that protocols any key input by the user. A SmartScreen warning was displayed, but it was not prevented from being launched.

Protection against WebView2-based attacks

It all boils down to decade-old security practices when it comes to protection against this type of attack. Not launching applications that come from unknown sources or are not trustworthy is probably the main defensive option. Email attachments and web downloads need to be mentioned specifically here, as it is still common that computer users run these without consideration of the consequences.

Other options include scanning the file with up-to-date antivirus engines, or a service such as Virustotal. Virustotal scans files using dozens of antivirus engines and returns its findings in a matter of seconds to the user.


New Windows Phishing Method gives attackers access to cookies and more

Article Name

New Windows Phishing Method gives attackers access to cookies and more


A new phishing method using Microsoft Edge WebView2 may be used to steal user passwords, session cookies and other data.


Martin Brinkmann


Ghacks Technology News