A security researcher has discovered a serious vulnerability that could allow attackers to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS, – The Hacker News reported on September 12.
Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, but Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.
Today phishing attacks are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.
Discovered by Pakistan-based security researcher Rafay Baloch, the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading.
Successful exploitation of the flaw could potentially allow an attacker to initially start loading a legitimate page, which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious one.
Since the URL displayed in the address bar does not change, the phishing attack would be difficult for even a trained user to detect.
Using this vulnerability, an attacker can impersonate any web page, including Gmail, Facebook, Twitter, or even bank websites, and create fake login screens or other forms to steal credentials and other data from users, who see the legitimate domain in the address bar.
Baloch created a proof-of-concept (PoC) page to test the vulnerability, and observed that both Microsoft Edge and Apple Safari browsers “allowed javascript to update the address bar while the page was still loading.”
Baloch said that both Google Chrome and Mozilla Firefox web browsers are not affected by this vulnerability.
While Microsoft had already patched the issue last month with its Patch Tuesday updates for August 2018, Baloch has yet to get a response from Apple about the flaw he reported to the company back on June 2.
The researcher disclosed the full technical details of the vulnerability and proof-of-concept (PoC) code for Edge only after the 90-day disclosure window, but he is holding the proof-of-concept code for Safari until Apple patches the issue in the upcoming version of Safari.