Safari & Edge Vulnerability Allowed Hackers To Perform Address Bar Spoofing Attacks

A vulnerability in the Safari browser allowed attackers to take control of the content displayed on the address bar and the security researcher who discovered this found that the method enables the bad actor to perform phishing attacks that are very difficult for the user to identify. The browser bug is a race condition which is allowing the JavaScript to change the address bar before even the web pages is loaded completely.

Who Discovered The Vulnerability?

The vulnerability was identified by a security researcher named Rafay Baloch and he was able to reproduce the bug only in Safari and Edge browsers, the security researcher immediately informed both the companies Apple and Microsoft about the bug. While Microsoft has responded with the a patch on Edge on August 14th as part of their one of the security updates Apple didn’t provide the patch until now. The three-month grace period prior to public exposure expired a week ago.

While the vulnerability has yet to be given a severity score it has been given a tracking id as CVE-2018-8383. To exploit the vulnerability the attackers were required to trick the victim onto a specially designed website which can be achieved easily and Apple delaying this patch may have left the Safari browser vulnerable allowing the attacker to impersonate any web page as the victim sees the legitimate domain name in the address bar with complete authentication marks. You can read Baloch’s full write up here.

Did The Bug Work?

When the bug was tested with PoC (Proof-Of-Concept) Code, The page was able to load content from Gmail while the page is hosted on sh3ifu.com and it works perfectly although there are some elements that kept loading as the page loaded completely indicating that it an incomplete process.

The only difficulty on Safari is that users cannot type in the fields while the page is still loading. Baloch says that he and his team overcame this issue by adding a fake keyboard on the screen, something that banking Trojans did for years.

Take your time to comment on this article.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients