Hackers could steal local files from a Microsoft Edge user thanks to a security vulnerability in the older versions of the browser. Security researcher Ziyahan Albeniz revealed that the flaw is with the Same Origin Policy (SOP) that prevent attackers from accessing local files.
"The Same Origin Policy (SOP) would prevent https://attacker.com from reading file://C:/your/stuff.txt, for example," Albeniz wrote. "The reason is that they have different origins."
This essentially means that the requesting protocol and the port should be the same before access is granted. In the above example, since "https://" and "file://" are different, an attacker shouldn't be able to read your local files.
However, there is always a way...
Attackers can use social engineering tricks to get access to your local files. It appears that when users are tricked into downloading and running a malicious HTML file, attackers would get access to the local files since the download HTML file will be loaded via the file:// protocol - meaning both become the same protocols raising no alarms.
"I drafted an email from another computer, added the file as an attachment and then opened the attachment in the Mail and Calendar app. Much to my surprise, it worked," the researcher wrote. "I expected that the app, like the Edge browser, would block the attachment. But this was not the case at all."
When I sent the email as an attachment and waited until a user opened it, it would immediately send local files of my choosing to my server, where I could store and read them. There is probably no antivirus program that would recognize my file as malicious, and, I could extract the files over a secure HTTPS connection. This is what makes this attack so stealthy! The Windows Mail and Calendar version where I tried my exploit was version 17.8600.40445.0.
The good news is that Microsoft has fixed the security vulnerabilities. Albeniz said that users should be safe from this attack if they are using the updated versions of Edge and Windows Mail and Calendar applications. The company fixed the vulnerability tracked as CVE-2018-0871 with the June 2018 security patches.
Note that this attack required some action from the victim, and as has been said multiple times, try not to open files from unknown senders which will keep you safe from the majority of attacks.