A vulnerability in the Microsoft Edge browser can be exploited and allow an attacker to obtain a user's password and cookie files for various online accounts.

The vulnerability came to light following research by Manuel Caballero, a security expert who has a long history of unearthing Edge [1, 2] and Internet Explorer flaws [1].

Caballero's recent discovery is a bypass of the Same Origin Policy (SOP), a browser security feature that prevents website A from loading and executing scripts loaded from website B.

Vulnerability lets attackers bypass Edge's SOP protection

This flaw, which Caballero disclosed today in a headache-inducing technical write-up, allows an attacker to load and execute malicious code with the help of data URIs, meta refresh tag, and domainless pages, such as about:blank.

In various variations of the exploitation technique Caballero showed how an attacker could execute code on high-profile sites just by tricking the victim into accessing a malicious URL.

In three proof-of-concept demos, the researcher executed code on the Bing homepage, tweeted on behalf of another user, and stole the password and cookie files from a Twitter account.

The last attack re-exposed a security flaw in the design of modern browsers, such as an attacker's ability to logout a user, load the login page, and steal the user's credentials that are automatically filled in by the browser's password autofill feature.

To better understand how all this works, Caballero has recorded a video of the attack:

This vulnerability is currently unpatched. Versions of the proof-of-concept demos are hosted online [1, 2, 3], but we presume people are fearful to let sites dump their Twitter cookies and passwords.

Because of this, Caballero is providing the demos for download, so others can inspect the source code and make sure their passwords and cookies aren't uploaded anywhere.

Malvertising can automate attacks

The security researcher says the attack can be customized to dump the passwords or cookies of any other online service, such as Facebook, Amazon, and others. The flaw affects only Edge because "UXSS/SOP bypasses tend to be particular to each browser."

Furthermore, because modern ads deliver JavaScript code to browsers, attackers can leverage malvertising campaigns to automate the delivery of this exploit to thousands of victims, or more.

"[C]onsider that attackers use malvertising, deploying their bad bits inside cheap banners from popular sites. If an attacker is hosted inside a Yahoo banner and the user is logged in into her Twitter account, she will be owned with no interactions [sic], at all," the researcher explains.