Content Spoofing Vulnerability in Edge Browser

Hello Everyone,
Recently, I found Address Bar Spoofing vulnerability in Edge browser. The issue has been addressed and fixed in latest version of Edge Browser [CVE-2018-8383]
After that, I found another bug in Edge Browser which is still unfixed.
I reported this bug to Microsoft security team but they replied that the report doesn't meet the bar.
So, I don't excuse or create a follow-up anymore.
I'm disclosing the bug here.
Previously, I found the simple bug that Edge browser loads the domain first in address bar than redirects. So, it's possible to hold the redirect by giving port etc. resulted in address bar spoofing vulnerability.
Next, I found that Edge browser loads our dialog box first and in the background edge loads the site quickly, resulting in Content spoofing vulnerability.
Content spoofing is a sub category of “Address Bar Spoofing” attacks. The issue occurs when you are able to spoof dialog boxes or portion of content. Though, it is low risk vulnerability, it can sometimes provide aid in conducting phishing attacks.

PoC:
First, Open Edge browser and visit this link https://whitehatpentesting.000webhostapp.com/demo.html
Next, click on 'Click Here to Hack Microsoft'
Wait and see.
So, hackers may virtually deface the website by spoofing dialog boxes or contents and can perform Phishing attack in Edge browser.
There are many low risk and unpatched vulnerabilities in Edge browser.
Hope Microsoft will fix this bug in future.
Thanks for reading.
Comments
Post a Comment