Manuel Caballero, a security researcher that lately seems to have been focusing on finding flaws in Microsoft’s Edge browser, uncovered a new bug that would allow an attacker to steal users’ passwords from popular web services.
Caballero found an SOP bypass in the Edge browser that would allow an attacker to tweet in the name of a logged user by executing malicious code with the help of a data uniform resource identifier (URI), meta refresh tags, and domainless pages such as “about:blank.”
The stealing of the password was possible due to Edge’s built-in password manager, which autofills users’ passwords after they’ve been logged out. This makes it possible for the attacker to capture the password, once the victim has already loaded malicious code in the browser, by clicking on the attacker’s link.
http://www.tomshardware.co.uk/edge-password-theft-fake-tweets,news-55432.html