A vulnerability in the Microsoft Edge browser can be exploited and allow an attacker to obtain a user's password and cookie files for various online accounts.
Caballero's recent discovery is a bypass of the Same Origin Policy (SOP), a browser security feature that prevents website A from loading and executing scripts loaded from website B.
This flaw, which Caballero disclosed today in a headache-inducing technical write-up, allows an attacker to load and execute malicious code with the help of data URIs, meta refresh tag, and domainless pages, such as about:blank.
In various variations of the exploitation technique Caballero showed how an attacker could execute code on high-profile sites just by tricking the victim into accessing a malicious URL.
In three proof-of-concept demos, the researcher executed code on the Bing homepage, tweeted on behalf of another user, and stole the password and cookie files from a Twitter account.
The last attack re-exposed a security flaw in the design of modern browsers, such as an attacker's ability to logout a user, load the login page, and steal the user's credentials that are automatically filled in by the browser's password autofill feature.
To better understand how all this works, Caballero has recorded a video of the attack:
Because of this, Caballero is providing the demos for download, so others can inspect the source code and make sure their passwords and cookies aren't uploaded anywhere.
The security researcher says the attack can be customized to dump the passwords or cookies of any other online service, such as Facebook, Amazon, and others. The flaw affects only Edge because "UXSS/SOP bypasses tend to be particular to each browser."
"[C]onsider that attackers use malvertising, deploying their bad bits inside cheap banners from popular sites. If an attacker is hosted inside a Yahoo banner and the user is logged in into her Twitter account, she will be owned with no interactions [sic], at all," the researcher explains.