Microsoft Edge Vulnerability allows Cookie and Password Theft

It's been discovered that an attacker is able to load and execute malicious code on high prolific sites such as social media. Social engineering techniques are used to persuade a user to click on the malicious link.

Threat ID:: CC-1366
Category:: Browser-hijack
Threat Severity:: Low
Threat Vector:
Published:: 27 April 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Affected platforms

The following platforms are known to be affected:

Microsoft Edge

Microsoft Edge including the current version 15.15063

Threat details

Researchers have discovered that the vulnerability allows an attacker to logout a user from a social media site, load the login page and steal the user’s credentials that are automatically filled in by the browser’s password autofill feature.

Additionally the vulnerability allows attackers to execute malicious code on the Bing homepage and tweet on behalf of another user.

Remediation steps

Type	Step
	At the time of publication there aren’t any patches for the vulnerability. Good education to employees to not click on any links from untrusted sources. Avoiding password reuse across multiple services. Disable cookies from websites that cache passwords. Ensure patches and updates are implement as soon as they're released.

Type

Step

At the time of publication there aren’t any patches for the vulnerability.

Good education to employees to not click on any links from untrusted sources.
Avoiding password reuse across multiple services.
Disable cookies from websites that cache passwords.
Ensure patches and updates are implement as soon as they're released.

Last edited: 17 February 2020 11:34 am