Windows 10 Browser Flaw Lets Hackers Steal Your Passwords
Patch your Windows 10 installation if you haven't lately — there's a serious Edge browser flaw that could let a remote attacker steal passwords and other sensitive personal information from your computer.
The flaw, discovered by Turkish security researcher Ziyahan Albeniz, has to do with the way Edge handles local files. Like all browsers, Edge can display HTML and other browser-compatible files that are on your computer just as easily as it can display web pages (which are really just HTML files on someone else's computer).
To fix this flaw on your machine, run the June or July security-update packages issued by Microsoft if your machine isn't set to automatically update itself. You can go to Settings, then Updates and Security, and then Check for Updates. If you're fully up to date, you're already done.
MORE: How to Use Windows 10
The problem here is that until the June security updates, Edge, Microsoft's "new" browser, didn't protect itself against malicious local files — only malicious files on remote web servers. It's a dumb but understandable oversight, as Albeniz said in a blog posting on the site of his employer, London security firm Netsparker.
"One thing that's often overlooked in similar, new development projects is the knowledge gained from years of small security fixes on the original product [i.e., Internet Explorer]," Albeniz wrote. "It is these security fixes, and the knowledge that comes with it, that may get lost when redesigning a web browser. That might explain why Microsoft Edge was the only browser I found that was vulnerable to this flaw."
Because of this mistake, a crook could email you an HTML file as an attachment. If you opened or previewed the file in Windows 10's built-in Mail application, which uses Edge to display HTML files, the file would immediately be able to read and copy information from all other browser-compatible files on your computer, such as text files, JPEGs and GIFs.
Stay in the know with Laptop Mag
Get our in-depth reviews, helpful tips, great deals, and the biggest news stories delivered to your inbox.
The file could send any information it gathered to a remote server. It wouldn't have to be a complicated file — Albeniz's proof-of-concept malicious file consists of 19 lines that amount to 931 kilobytes.
So what, you think? Well, a lot of people write down passwords, bank-account numbers and other important information in text files kept on their desktops. Albeniz put up a video showing how an attack could take place.
"There is probably no antivirus program that would recognize my file as malicious, and I could extract the files over a secure HTTPS connection," Albeniz pointed out. "This is what makes this attack so stealthy."
Image credit: T.Dallas/Shutterstock
Edge Browser Tips
- Share a Web Page
- Disable Flash
- Change Download Folder
- Send a Web Note
- Disable or Enable Cookies
- Stop Restoring Tabs After a Crash
- Change Search Engine to Google
- Pin a Website to Windows 10’s Start Menu
- Enable Do Not Track
- Set Homepage (or Homepages)
- Enable Dark Theme
- How to Enable Do Not Track in Microsoft Edge Browser
- How to Import Favorites into Edge From Another Browser
- Clear Your History and Cookies in Microsoft Edge
- Print in Microsoft Edge
- Add a Page to the Reading List in Microsoft Edge Browser
- Rename a Favorite in Microsoft Edge Browser
- How to Add a Favorite Site/Bookmark in Microsoft Edge
- How to Open an InPrivate Window in Microsoft Edge
- Turn On Reading Mode in Microsoft Edge
- Enable and Use Cortana in Microsoft Edge
- Block Pop-ups in Microsoft Edge Browser
- Manage or View Saved Passwords
- Set Aside Tabs
- Increase Your Privacy
- All Windows 10 Tips