This research on the Edge flaw comes by way of independent Argentine security researcher Manuel Caballero. His blog post is not for the faint of heart, unless you’re prepared to read a few thousand words about iframes, SOP bypasses, and about:blanks; a writeup at Bleeping Computer translates it into reasonably plain language. Still, the bottom line is this: A remote attacker could execute malicious code in the Microsoft Edge browser in order to steal account login information, and at present, there’s no patch for it. MORE: 12 Computer Security Mistakes You’re Probably Making To cut to the chase, the only way to prevent this attack from happening is to use another web browser, such Mozilla Firefox or Google Chrome, until Microsoft updates Edge. For what it’s worth, Caballero did not treat the flaw as an indictment of Edge overall; his blog post pointed out multiple times just how many obstacles the Edge browser throws in a potential hacker’s way. In order to demonstrate how the flaw worked, Caballero invoked our old friend, 19th-century biologist Charles Darwin. In a video Caballero posted to YouTube, the security researcher created a Twitter account in Darwin’s name, then had Darwin’s old frenemy Alfred Russel Wallace send him a link. (Both Twitter accounts are still up.) Darwin clicked on the link — just as any ordinary Twitter user might — and found that the page on the other end included an embedded program to tweet on his behalf. The applet could even sign Darwin in and out of Twitter, and deliver his password “in a silver platter,” according to Caballero. How this works is an extremely complicated process, but in a nutshell, Caballero used inline frames (iFrames), which consist of HTML from one website embedded into another. Caballero has made the code for the attack widely available, if only so that people can see how it works for themselves. It’s still a pretty complicated process, so it’s anyone’s guess as to whether malicious hackers will actually use it, but it’s not impossible. The good news is that the hack doesn’t work on non-Edge browsers, since each browser’s process for storing and autofilling accounts is fairly different. (We recommend NOT letting any browser store credentials for social networking, email, shopping or banking accounts.) Don’t think that being judicious about clicking on links will help, either; Caballero pointed out that malvertising could just as easily inject malicious JavaScript code into an Edge browser and produce the same effect. For the time being, you’re better off using another browser — or cleaning out all autofill account credentials from Edge, and hoping you can do it quickly enough. Darwin photo: Public domain
10 Worst Data Breaches of All Time7 Easy Ways to Get Your Identity StolenBest Antivirus Protection for PC, Mac and Android