An unpatched vulnerability in the Safari web browser allows an attacker to control the content displayed in the address bar, a security researcher discovered. The method enables well-crafted phishing attacks that are difficult to spot by the average consumer.
Security researcher Rafay Baloch was able to reproduce the vulnerability only in Safari and Edge web browsers.
He informed the makers of the two browsers about the risk, but only Microsoft responded with a patch on August 14, as part of its regular release of security updates.
Apple received a report about the bug on June 2, and 90 days to fix it before public disclosure. The three-month period expired more than a week ago and there is no patch for Safari.
The vulnerability is now tracked as CVE-2018-8383 and is yet to receive a severity score. Exploiting it requires the attacker to trick the victim to access a specially crafted web page, something that is easily achieved.
"Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing," he explains in a technical write-up.
By delaying the update on the address bar, an attacker can impersonate any web page, while the victim sees the legitimate domain name in the address bar, complete with all the authentication marks.
BleepingComputer tested the bug on iOS with a proof-of-concept (PoC) page set up by the researcher. The page is designed to load content from gmail[.]com that is hosted on sh3ifu[.]com, and it all works seamlessly.
Although there are some elements that might betray suspicious activity, even a keen eye could be easily fooled. For instance, the page loading wheel and bar are both visible, indicating an incomplete process.
However, this happens with lots of websites because of the background elements that have a lower priority during the loading stage. A user would not read anything into this and continue to log in.
The only problem on Safari is that users cannot type in the fields while the page is still loading. Baloch says that he and his team managed to jump this hurdle by injecting a fake keyboard on the screen, something that banking Trojans did for years.
The researcher told BleepingComputer that Apple would include a fix in the next set of security updates.
Below you can find two videos demonstrating the address bar spoofing bug in Edge and Safari: