Microsoft Edge is a popular web browser built on the Chromium engine, just like Google Chrome. But even big names make mistakes. In 2023, security researchers discovered a bug in Microsoft Edge, tracked as CVE-2023-36029. This vulnerability is all about *spoofing* — tricking users into seeing something fake instead of what's really going on.
Below, we’ll break down what CVE-2023-36029 is, how it works, share code snippets, and give you links to further reading. This guide uses everyday language, so you don’t need to be a security pro to follow along.
What is Spoofing in Browsers?
*Spoofing* is when a browser shows information that misleads users—for example, displaying a fake website address or padlock that makes a phishing site look legit. Attackers love spoofing because it helps them scam users out of sensitive info like passwords or credit cards.
Fixed in: Edge version 119..2151.44
The vulnerability allowed attackers to create malicious web pages that could make Microsoft Edge display a spoofed address bar or misleading security indicators. This made it easier for attackers to trick users into believing they were on a real, safe website—when, in fact, they were on a dangerous one.
Exploit Details: How Attackers Could Abuse It
The root cause of this vulnerability lies in how Edge handled special ways to open or redirect webpages. With the right mix of web code and browser behavior, attackers could manipulate the address bar.
A user visits a malicious website.
2. The site uses JavaScript and tricky window.open or window.location code to open new tabs or frames.
3. Edge’s address bar displays the wrong URL—or hides crucial indicators—making users believe they’re on a trustworthy site.
Example Exploit Snippet
Here’s a basic example of JavaScript code that might be used to trigger spoofing with this flaw:
<!-- Attacker's site: malicious.example -->
<html>
<body>
<script>
// Opens a new window/tab and quickly navigates it
let win = window.open('https://realbank.com';);
setTimeout(function() {
win.location = 'https://malicious.example/phishing.html';;
}, 100); // Delay before switching to phishing page
</script>
<h2>Loading...</h2>
</body>
</html>
What this does:
- The user sees https://realbank.com for a split second in the address bar.
Quickly, the script changes the page to the phishing site.
- A user might not notice the address switch, especially if the attacker uses loading screens or overlays to hide the real address.
Note: Real exploits can get sneakier, using frames, popups, or visual tricks.
Real-World Attack Scenario
Let’s say you get an email from someone pretending to be your bank. The email links to a malicious site. When you click, the above exploit runs. Even though the browser address bar says you’re on realbank.com with a nice green padlock, you might be on a fake page asking for your password!
How Was This Fixed?
Microsoft addressed this issue in an Edge update (version 119..2151.44 and above), making sure that the address bar and security indicators always reflect the *real* website content, regardless of redirection trickery.
Best way to stay safe:
More References and Technical Details
- Microsoft Security Guide – CVE-2023-36029
- Microsoft Edge Release Notes
- Chromium Security FAQ
- Exploit DB — Browser Spoofing (general reference)
Conclusion
CVE-2023-36029 is a clear reminder that even the best browsers can sometimes fool us—by accident. The bug made it possible for attackers to cover up phishing with address bar tricks in Edge. Now that it’s fixed, make sure your browser stays updated, stay alert, and always pay attention to anything that feels off when browsing or entering personal info.
Timeline
Published on: 11/03/2023 01:15:07 UTC
Last modified on: 11/13/2023 03:28:00 UTC