Yet another major security flaw has been discovered in Microsoft’s Edge browser for Windows 10 that can be exploited to bypass a security protection feature and steal data such as passwords from other sites, or cookie files that contain sensitive information.
This time Argentinean security researcher, Manuel Caballero uncovered the flaw who used a Darwin Twitter account to demonstrate the attack. Thankfully Charles Darwin had never been a victim of a computer hack himself. Caballero has posted a video on YouTube showing a series of technique on how the flaw could be used to access someone’s private information.
The vulnerability is a bypass of Edge's Same Origin Policy (SOP), a security feature that prevents a website from loading resources and code from other domains except its own. To exploit the flaw, an attacker can use server redirect iFrames requests combined with data URIs, which would allow him to confuse SOP filter and retrieve passwords from sites via the Microsoft Edge browser. In the end, the attacker will be able to inject a password form on another domain.
It’s clearly seen that the SOP feature isn’t working as it should be as this is the 3rd unpatched flaw
discovered recently in this very same feature and at present there’s no patch for this flaw.
To cut to the chase, the only way to prevent this attack from happening is to use another web browser, such Mozilla Firefox or Google Chrome, until Microsoft updates Edge.
