Trailing along a number of vulnerabilities across Microsoft’s range of products recently, yet another major security flaw has been discovered. This time by security researcher Manuel Caballero, this latest flaw enables the theft of cookie and password data in Microsoft Edge, Microsoft’s default browser for Windows 10.
Using a series of techniques, cookie data, as well as passwords, can be retrieved for websites, such as Twitter and Facebook. In a video posted on YouTube, Caballero shows how this flaw could be used to access the “private” information:
The issue stems from a flaw in Microsoft Edge’s Same Origin Policy (SOP), which is a security feature that is supposed to stop cookie and password data for one domain being accessed by another. Although, clearly, it isn’t working as it should, as this is the 3rd unpatched flaw discovered recently in this very same feature.
Caballero explains the issue in granular detail on his blog, where it is explained that server redirects, iFrames and data URIs are used to retrieve passwords from sites via the Microsoft Edge browser.
We’ve reached out to Microsoft for comment on this security flaw.