While Microsoft fixed the address bar URL spoofing vulnerability last month as part of its monthly security updates, Safari is still unpatched, potentially leaving Apple users vulnerable to phishing attacks.
The phishing attacks today are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.
Discovered by Pakistan-based security researcher Rafay Baloch, the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading.
Here’s How the URL Spoofing Vulnerability Works
Successful exploitation of the flaw could potentially allow an attacker to initially start loading a legitimate page, which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious one.
« Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing, » Baloch explains on his blog.
« It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing. »
Since the URL displayed in the address bar does not change, the phishing attack would be difficult for even a trained user to detect.
Using this vulnerability, an attacker can impersonate any web page, including Gmail, Facebook, Twitter, or even bank websites, and create fake login screens or other forms to steal credentials and other data from users, who see the legitimate domain in the address bar.
Baloch created a proof-of-concept (PoC) page to test the vulnerability, and observed that both Microsoft Edge and Apple Safari browsers « allowed javascript to update the address bar while the page was still loading. »
Proof-of Concept Video Demonstrations
The researcher has also published proof of concept videos for both Edge and Safari:
According to Baloch, both Google Chrome and Mozilla Firefox web browsers are not affected by this vulnerability.
While Microsoft had already patched the issue last month with its Patch Tuesday updates for August 2018, Baloch has yet to get a response from Apple about the flaw he reported to the company back on June 2.
The researcher disclosed the full technical details of the vulnerability and proof-of-concept (PoC) code for Edge only after the 90-day disclosure window, but he is holding the proof-of-concept code for Safari until Apple patches the issue in the upcoming version of Safari.