Safari and Edge browsers infected by a spoofing bug

by Jake Doevan - - 2018-09-15

Hackers used a bug to insert malicious content into Edge's and Safari's address bar

Safari and Edge browsers infected by a spoofing bug Safari and Edge spoofing has been reported recently and Microsoft has already solved the issue for Edge, however, Apple is still working on it for Safari.

A severe vulnerability in the Windows Microsoft Edge and Apple Safari browser was discovered recently. The bug permitted hackers to spoof various website URLs. However, Microsoft has already solved and fixed this problem while Apple is still working on the process. Due to this, Apple users risk being victims of cyber attacks.

A cybersecurity researcher named Rafay Baloch has discovered that the vulnerability (CVE-2018-8383) allowed JavaScript to put up a questionable address in the URL bar section^[1]:

During my testing, it was observed that both Edge and Safari browser allowed javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing.

The spoofing process details

Spoofing has a particular operating principle which allows the hacker to load a legitimate site straight in the URL section and replace the harmless address with a malicious or even virus-related one^[2]. While in the past users checked the URL address of the website to make sure that it is not fake, nowadays it might cause no effect, as the spoofed URL does not differ from the original one.

According to research, hackers can load the legitimate web page, re-write the body code to something malicious, without changing the URL. Using such weakness, hackers can easily produce fake login screens from Facebook, Gmail, and Twitter which would allow them to steal various sensitive information including credential details from users who are tricked by the legitimate-looking URL.

Apple gave no oriental details about the issue fixing time limit

Even though Microsoft managed to fix the issue and Apple did not representatives of the latter company claimed that the bug would be taken care of together with the next Safari browser security update^[3]. However, according to Baloch, Apple did not give any current details or dates of the time when the fix will be applied.

While Safari and Edge were affected by the bug,^[4] other browsers such as Google Chrome and Mozilla Firefox remain secure. Microsoft and Apple faced a disclosure of the remaining vulnerabilities and were given 90-day time duration to sort everything out before Baloch publicly announced about the failure^[5].

Moreover, the IT researcher measured the risk of vulnerabilities on Edge and Safari, and discovered that such bug is way easier to use on the latter:

However considering there is a slight difference between the Edge browser POC and Safari, anyone with decent knowledge of Javascript can make it work on Safari.

About the author

Jake Doevan - Computer technology expert

Jake Doevan is one of News Editors for 2-spyware.com. He graduated from the Washington and Jefferson College , Communication and Journalism studies.

Contact Jake Doevan
About the company Esolutions

References

^ Rafay Baloch. Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup. RafahBaloch.com. About cybersecurity.
^ Swati Khandelwal. Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs. The Hacker News.
^ Sergiu Gatlan. Safari Vulnerable to Address Bar Spoofing on iOS. Softpedia news. IT info.
^ Malcolm Owen . Safari for iOS URL spoofing exploit revealed, with no documented fix. Appleinsider.com. IT news portal.
^ Lindsey O'Donnell. Apple Yet to Patch Safari Browser Address Bar Spoofing Flaw. Threatpost. An independent news site.