Windows 10 Browser Flaw Lets Hackers Steal Your Passwords

Patch your Windows 10 installation if you haven't lately — there's a serious Edge browser flaw that could let a remote attacker steal passwords and other sensitive personal information from your computer.

The flaw, discovered by Turkish security researcher Ziyahan Albeniz, has to do with the way Edge handles local files. Like all browsers, Edge can display HTML and other browser-compatible files that are on your computer just as easily as it can display web pages (which are really just HTML files on someone else's computer).

To fix this flaw on your machine, run the June or July security-update packages issued by Microsoft if your machine isn't set to automatically update itself. You can go to Settings, then Updates and Security, and then Check for Updates. If you're fully up to date, you're already done.

MORE: How to Use Windows 10

The problem here is that until the June security updates, Edge, Microsoft's "new" browser, didn't protect itself against malicious local files — only malicious files on remote web servers. It's a dumb but understandable oversight, as Albeniz said in a blog posting on the site of his employer, London security firm Netsparker.

"One thing that's often overlooked in similar, new development projects is the knowledge gained from years of small security fixes on the original product [i.e., Internet Explorer]," Albeniz wrote. "It is these security fixes, and the knowledge that comes with it, that may get lost when redesigning a web browser. That might explain why Microsoft Edge was the only browser I found that was vulnerable to this flaw."

Because of this mistake, a crook could email you an HTML file as an attachment. If you opened or previewed the file in Windows 10's built-in Mail application, which uses Edge to display HTML files, the file would immediately be able to read and copy information from all other browser-compatible files on your computer, such as text files, JPEGs and GIFs.

The file could send any information it gathered to a remote server. It wouldn't have to be a complicated file — Albeniz's proof-of-concept malicious file consists of 19 lines that amount to 931 kilobytes.

So what, you think? Well, a lot of people write down passwords, bank-account numbers and other important information in text files kept on their desktops. Albeniz put up a video showing how an attack could take place.

"There is probably no antivirus program that would recognize my file as malicious, and I could extract the files over a secure HTTPS connection," Albeniz pointed out. "This is what makes this attack so stealthy."

Image credit: T.Dallas/Shutterstock

Edge Browser Tips