To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.

In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.

Source: Edge Security Flaw Allows Theft of Facebook and Twitter Credentials