Charles Darwin was many things — a naturalist, a family man, an orator — but he'd never been the victim of a computer hacker until now. A new and potentially very nasty vulnerability in Microsoft Edge could let an attacker tweet on your behalf or steal your credentials for any account that Edge autofills, and the security researcher who discovered the flaw used a Darwin Twitter account to demonstrate such an attack.
This research on the Edge flaw comes by way of independent Argentine security researcher Manuel Caballero. His blog post is not for the faint of heart, unless you’re prepared to read a few thousand words about iframes, SOP bypasses, and about:blanks; a writeup at Bleeping Computer translates it into reasonably plain language.
Still, the bottom line is this: A remote attacker could execute malicious code in the Microsoft Edge browser in order to steal account login information, and at present, there’s no patch for it.
To cut to the chase, the only way to prevent this attack from happening is to use another web browser, such Mozilla Firefox or Google Chrome, until Microsoft updates Edge. For what it’s worth, Caballero did not treat the flaw as an indictment of Edge overall; his blog post pointed out multiple times just how many obstacles the Edge browser throws in a potential hacker’s way.
In order to demonstrate how the flaw worked, Caballero invoked our old friend, 19th-century biologist Charles Darwin. In a video Caballero posted to YouTube, the security researcher created a Twitter account in Darwin’s name, then had Darwin's old frenemy Alfred Russel Wallace send him a link. (Both Twitter accounts are still up.)
Darwin clicked on the link — just as any ordinary Twitter user might — and found that the page on the other end included an embedded program to tweet on his behalf. The applet could even sign Darwin in and out of Twitter, and deliver his password “in a silver platter,” according to Caballero.
How this works is an extremely complicated process, but in a nutshell, Caballero used inline frames (iFrames), which consist of HTML from one website embedded into another.
By tricking Darwin into clicking on a link that collected his cookies, the attacker (Wallace) could collect usernames and passwords from Microsoft Edge’s autofill records. In this case, Wallace obtained Darwin’s Twitter password, but this hack could theoretically work on any account for which the user lets Microsoft Edge store credentials -- Facebook, LinkedIn, Amazon, online bank accounts, and so on.
Caballero has made the code for the attack widely available, if only so that people can see how it works for themselves. It’s still a pretty complicated process, so it’s anyone’s guess as to whether malicious hackers will actually use it, but it’s not impossible. The good news is that the hack doesn’t work on non-Edge browsers, since each browser’s process for storing and autofilling accounts is fairly different. (We recommend NOT letting any browser store credentials for social networking, email, shopping or banking accounts.)
Darwin photo: Public domain