Windows 10 News and info | Forum
April 26, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Apple's Safari Falls For New Address Bar Spoofing Trick  (Read 57 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 29942

I Do Windows

WWW Email
« on: September 12, 2018, 03:36:48 AM »

An unpatched vulnerability in the Safari web browser allows an attacker to control the content displayed in the address bar, a security researcher discovered. The method enables well-crafted phishing attacks that are difficult to spot by the average consumer.

The bug is a race condition type and it is caused by the browser permitting JavaScript to update the address bar before a web page loads completely.

Apple is taking its time to release a fix

Security researcher Rafay Baloch was able to reproduce the vulnerability only in Safari and Edge web browsers.

He informed the makers of the two browsers about the risk, but only Microsoft responded with a patch on August 14, as part of its regular release of security updates.

Apple received a report about the bug on June 2, and 90 days to fix it before public disclosure. The three-month period expired more than a week ago and there is no patch for Safari.

Tricking the eye and the mind

The vulnerability is now tracked as CVE-2018-8383 and is yet to receive a severity score. Exploiting it requires the attacker to trick the victim to access a specially crafted web page, something that is easily achieved.

"Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing," he explains in a technical write-up.

By delaying the update on the address bar, an attacker can impersonate any web page, while the victim sees the legitimate domain name in the address bar, complete with all the authentication marks.

BleepingComputer tested the bug on iOS with a proof-of-concept (PoC) page set up by the researcher. The page is designed to load content from gmail[.]com that is hosted on sh3ifu[.]com, and it all works seamlessly.

Although there are some elements that might betray suspicious activity, even a keen eye could be easily fooled. For instance, the page loading wheel and bar are both visible, indicating an incomplete process.

However, this happens with lots of websites because of the background elements that have a lower priority during the loading stage. A user would not read anything into this and continue to log in.

The only problem on Safari is that users cannot type in the fields while the page is still loading. Baloch says that he and his team managed to jump this hurdle by injecting a fake keyboard on the screen, something that banking Trojans did for years.

The researcher told BleepingComputer that Apple would include a fix in the next set of security updates.

Below you can find two videos demonstrating the address bar spoofing bug in Edge and Safari:


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page April 12, 2019, 02:53:18 AM