Edge and Safari Browsers Vulnerable to Address Bar Spoofing

Independent cybersecurity expert Rafay Baloch has discovered that the Edge and Safari browsers are vulnerable to address bar spoofing. While Microsoft engineers responded to the warning and fixed the vulnerability in August 2018 (assigned CVE-2018-8383), the issue remains unresolved in Safari. Baloch reports that he notified Apple about the bug on June 2, 2018. Since the standard 90-day disclosure period expired over a week ago, the expert decided to publish information about the problem.

How the Vulnerability Works

In his blog, Baloch explains that the issue is related to a race condition. Essentially, an attacker only needs to lure a victim to a specially crafted web page. The browser will then begin loading what appears to be a legitimate resource. The attacker waits for the legitimate URL to appear in the address bar, then modifies the page’s code on the fly to malicious content—without changing the URL. Theoretically, this allows attackers to create fake login pages and other forms, enabling them to steal user credentials from people who believe they are interacting with a legitimate site.

Proof of Concept and Demonstrations

Journalists from Bleeping Computer tested the expert’s proof-of-concept page on iOS. As shown in the illustration below, the PoC works perfectly: a site that appears to be gmail[.]com is actually sh3ifu[.]com.

Baloch also published video demonstrations of the attacks on both browsers in his blog. These videos can be viewed below.

Source

Original article: https://xakep.ru/2018/09/12/address-bar-spoofing/