CVE-2022-24523 - Microsoft Edge (Chromium-based) Spoofing Vulnerability Explained

Microsoft Edge is a popular web browser built on the Chromium engine—the same one used by Google Chrome. In early 2022, a new security vulnerability called CVE-2022-24523 was discovered. This bug allowed attackers to trick Edge users with website address bar (URL) spoofing, making phishing easier and stealing personal information more likely.

This post breaks down how CVE-2022-24523 worked, how attackers could use it, and how you can keep safe. We'll also see some sample code and helpful links for deeper reading.

What is CVE-2022-24523?

CVE-2022-24523 was a spoofing vulnerability in Microsoft Edge (Chromium-based). Simply put, it allowed a website to display a *fake* web address (the URL you see in the address bar). For example, a malicious page could pretend to be your bank’s genuine website, even though it wasn’t.

This was dangerous because users rely on the address bar to decide if they're on a trusted site. If this trust is broken, cybercriminals can steal passwords, credit card info, and more by tricking people into thinking they're on secure websites.

Technical Details

The problem was with how Microsoft Edge handled certain browser events and web page transitions. By carefully crafting JavaScript and abusing window.open and certain redirects, attackers could cause the browser’s address bar to not update properly, or to show a trusted URL while displaying content from a different, malicious site.

Here’s a simplified JavaScript snippet that shows how the spoofing could work

// Attacker's website script

// Open a new window/tab with a legit-looking URL
let win = window.open('https://login.yourbank.com';, '_blank');

// After a short delay, overwrite the contents
setTimeout(function() {
  win.location = 'https://evil-attackersite.com/phishingpage.html';;
}, 200);

On some vulnerable Edge versions, the address bar might still show "https://login.yourbank.com" *even though* the page content is from the attacker's site!

What Could Attackers Do?

If you visited a sketchy site (or clicked a bad link in email/social media), the attacker could use this trick to:

Install malware by tricking you into downloading files.

All while the address bar *looked* perfectly trustworthy.

Fixes and Protection

Microsoft patched this bug in April 2022.  
ALWAYS UPDATE your browsers—this closes known holes fast.

Update details:
- Microsoft Security Update Guide - CVE-2022-24523

Microsoft security guidance:

CVE-2022-24523 | Chromium Spoofing Vulnerability (MSRC)

NIST National Vulnerability Database:

NVD - CVE-2022-24523

Microsoft Security Blog:

April 2022 Security Updates

Summary

CVE-2022-24523 was a serious flaw in Microsoft Edge that let attackers spoof URLs, putting your credentials at risk. It’s a good reason to keep your browser auto-updating and be extra careful online.

Remember: cyber safety isn’t just for IT folks—protecting yourself online is for everyone. Bookmark this post, share it with friends, and make sure you have updates enabled!

Timeline

Published on: 04/05/2022 20:15:00 UTC
Last modified on: 08/15/2022 11:18:00 UTC