An unpatched vulnerability in the Safari web browser allows an attacker to control the content displayed in the address bar, a security researcher discovered. The method enables well-crafted phishing attacks that are difficult to spot by the average consumer.

The bug is a race condition type and it is caused by the browser permitting JavaScript to update the address bar before a web page loads completely.

Apple is taking its time to release a fix

Security researcher Rafay Baloch was able to reproduce the vulnerability only in Safari and Edge web browsers.

He informed the makers of the two browsers about the risk, but only Microsoft responded with a patch on August 14, as part of its regular release of security updates.

Apple received a report about the bug on June 2, and 90 days to fix it before public disclosure. The three-month period expired more than a week ago and there is no patch for Safari.

Tricking the eye and the mind

The vulnerability is now tracked as CVE-2018-8383 and is yet to receive a severity score. Exploiting it requires the attacker to trick the victim to access a specially crafted web page, something that is easily achieved.

"Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing," he explains in a technical write-up.

By delaying the update on the address bar, an attacker can impersonate any web page, while the victim sees the legitimate domain name in the address bar, complete with all the authentication marks.

BleepingComputer tested the bug on iOS with a proof-of-concept (PoC) page set up by the researcher. The page is designed to load content from gmail[.]com that is hosted on sh3ifu[.]com, and it all works seamlessly.

Although there are some elements that might betray suspicious activity, even a keen eye could be easily fooled. For instance, the page loading wheel and bar are both visible, indicating an incomplete process.

However, this happens with lots of websites because of the background elements that have a lower priority during the loading stage. A user would not read anything into this and continue to log in.

The only problem on Safari is that users cannot type in the fields while the page is still loading. Baloch says that he and his team managed to jump this hurdle by injecting a fake keyboard on the screen, something that banking Trojans did for years.

The researcher told BleepingComputer that Apple would include a fix in the next set of security updates.

Below you can find two videos demonstrating the address bar spoofing bug in Edge and Safari:

 

Related Articles:

Method to View Contact Info on a Locked iOS 12.1 Device Disclosed

Apple Fixes Creepy FaceTime Vulnerability, Crash Bug in macOS, and More

TLS 1.0 and TLS 1.1 Being Retired in 2020 by All Major Browsers

Apple Releases Security Updates for iOS and iCloud, Fixes Passcode Bypass

Russian Banks Under Phishing Attack