The Edge browser’s ability to warn users of dodgy sites, or other security alerts can be abused to display native and legitimate-looking warning messages. This is a gift for tech support scammers who could use it to get the great unwashed to call them thinking they have been hacked.
The flaws exist in Voles ms-appx and ms-appx-web protocols which the browser uses to present warning messages when phishing or malware delivery sites are located.
When Edge detects suspected Malicious sites it colours them red with a feature called “SmartScreen”.
However, Buenos Aires security tester Manuel Caballero said it was a doddle for scammers to create warnings that replace SmartScreen text and phone numbers indicating that a nominated site also displayed in the address bar is infected.
All they must do is altering URL characters and appending a hash and a URL of a legitimate-looking site.
Those errors could be avoided by changing a single character in URL, and the displayed address changed to a legitimate site by appending a hash. It is not clear if Microsoft is doing anything about the problem yet.