Cybercrime

Attackers can abuse the Windows UI Automation framework to steal data from apps

“Another option to maintain stealth without taking a passive approach is to use the caching mechanism of UIA,” the researcher said. “In addition to the UI elements currently shown on the screen that we can interact with, more elements are loaded in advance and placed in a cache. We can also interact with those elements, such as reading messages not shown on the screen, or even set the text box and send messages without it being reflected on the screen.”

This, of course, works in other applications as well. For example, in the context of an online shopping website opened in the browser, an attacker could use the UIA to detect when the user is typing credit card information and exfiltrate that data.

Or they could interact with the address bar to forcefully redirect the user to a malicious version of the website they currently have open. Since the user already expects to be on the website, they might not even notice the address change. For example, if the website refreshes and asks them to log in, they might think their session expired and they need to re-authenticate. This happens quite frequently on some websites, including email services, and might not raise suspicion.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button