Photo Credit: Rafay Baloch
A security researcher claims to have discovered an issue that can leave URLs to be spoofed in Safari for iOS and Microsoft Edge browser for Windows 10. While Microsoft has fixed the bug, Apple is yet to release a fix. The new address bar spoofing attack (CVE-2018-8383) that has been found uses phishing techniques that can reportedly bypass basic indicators like URL, which are the first checks to determine if a particular site is fake. The vulnerability was first reported to both the companies on June 2, with the researcher issuing a 90-day deadline to issue a fix before publication. Last month, a reminder of the 90-day deadline was issued, and Microsoft released a fix as part of August 14 'Patch Tuesday'.
Researcher Rafay Baloch explains the vulnerability as a race condition that can enable an attacker to loading a legitimate webpage, resulting in the page's address to appear in the address bar, then rewriting the code for the body of the page to something dangerous without updating the URL at all, reports The Register. This essentially has the potential to enable an attacker to create fake login screens or other forms that could be used in extracting usernames, passwords, and other personal user data, while the users think they were on a legit page.
Baloch explains, "During my testing, it was observed that upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing." He adds, "It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing."
Proof-of-concept videos for both the Edge browser (v42.17134.1.0) and Safari (iOS 11.3.1) were posted by Baloch on his site. It is interesting to note that since both the browsers are closed-source, there is no clarity on why Edge and Safari would be affected by the same issue, while Chrome or Firefox remain unaffected. As mentioned, Microsoft has already fixed the bug, but Baloch says Apple will fix it in an upcoming update.