A browser address bar spoofing flaw was found by researchers this week in Safari – and Apple has yet issue a patch for the flaw.
Researcher Rafay Baloch on Monday disclosed two proof-of-concepts revealing how vulnerabilities in Edge browser 42.17134.1.0 and Safari iOS 11.3.1 could be abused to manipulate the browsers’ address bars, tricking victims into thinking they are visiting a legitimate website.
Baloch told Threatpost Wednesday that Apple has promised to fix the flaw in its next security update for Safari. “Apple has told [me] that the latest beta of iOS 12 also addresses the issue, however they haven’t provided any dates,” he said. Apple did not respond to multiple requests for comment from Threatpost.
Microsoft for its part has fixed the vulnerability Baloch found in the Edge browser, (CVE-2018-8383) in its August Patch Tuesday release. According to Microsoft’s vulnerability advisory released August 14, the spoofing flaw exists because Edge does not properly parse HTTP content.
The browser would then preserve the address bar and load the content from the spoofed page, Baloch said in his blog breaking down both vulnerabilities.
From there, the attacker could spoof the website, using it to lure in victims and potentially gather credentials or spread malware. For instance, the attacker could send an email message containing the specially crafted URL to the user, convince the user to click it, and take them to the link which could gather their credentials or sensitive information.
“As per Google, Address bar is the only reliable indicator for ensuring the identity of the website, if the Address bar points to Facebook.com and the content is hosted on attacker’s website, there is no reason why someone would not fall for this,” Baloch told Threatpost.
In a video demonstration, Baloch showed how he could visit a link for the vulnerable browser on Edge (http://sh3ifu[.]com/bt/Edge-Spoof.html), which would take him to a site purporting to be Gmail login. However, while the URL points to a Gmail address, the content is hosted on sh3ifu.com, said Baloch.
No other browsers – including Chrome or Firefox – were discovered to have the flaw, said Baloch. Baloch is known for discovering similar vulnerabilities in Chrome, Firefox and other major browsers in 2016, which also allowed attackers to spoof URLs in the address bar.