• Home
  • Laptops
  • Laptops News
  • Safari, Edge Browsers Said to Be Vulnerable to Address Bar Spoofing Issue; Apple Reportedly Yet to Fix Bug

Safari, Edge Browsers Said to Be Vulnerable to Address Bar Spoofing Issue; Apple Reportedly Yet to Fix Bug

Share on Facebook Tweet Share Share Reddit Comment
Safari, Edge Browsers Said to Be Vulnerable to Address Bar Spoofing Issue; Apple Reportedly Yet to Fix Bug

Photo Credit: Rafay Baloch

URL bar spoofing allows website addresses to be spoofed in Safari for iOS and Microsoft's Edge browser

Highlights

  • Safari and Edge spoofing exploit revealed
  • Microsoft had released a fix as part of August 14 'Patch Tuesday'
  • Apple is yet to patch spoofing vulnerability

A security researcher claims to have discovered an issue that can leave URLs to be spoofed in Safari for iOS and Microsoft Edge browser for Windows 10. While Microsoft has fixed the bug, Apple is yet to release a fix. The new address bar spoofing attack (CVE-2018-8383) that has been found uses phishing techniques that can reportedly bypass basic indicators like URL, which are the first checks to determine if a particular site is fake. The vulnerability was first reported to both the companies on June 2, with the researcher issuing a 90-day deadline to issue a fix before publication. Last month, a reminder of the 90-day deadline was issued, and Microsoft released a fix as part of August 14 'Patch Tuesday'.

Researcher Rafay Baloch explains the vulnerability as a race condition that can enable an attacker to loading a legitimate webpage, resulting in the page's address to appear in the address bar, then rewriting the code for the body of the page to something dangerous without updating the URL at all, reports The Register. This essentially has the potential to enable an attacker to create fake login screens or other forms that could be used in extracting usernames, passwords, and other personal user data, while the users think they were on a legit page.

Baloch explains, "During my testing, it was observed that upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing." He adds, "It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing."

Proof-of-concept videos for both the Edge browser (v42.17134.1.0) and Safari (iOS 11.3.1) were posted by Baloch on his site. It is interesting to note that since both the browsers are closed-source, there is no clarity on why Edge and Safari would be affected by the same issue, while Chrome or Firefox remain unaffected. As mentioned, Microsoft has already fixed the bug, but Baloch says Apple will fix it in an upcoming update.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Plex Cloud Shutting Down on November 30 Citing Unmanageable Expenses
LG Display Struggles for Footing After LCD Forecasting Error Leads to Crisis
 
 

Advertisement

 

Advertisement