Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Apple’s Safari and Microsoft’s Edge browsers contain spoofing bug

Apple’s Safari and Microsoft’s Edge browser users are vulnerable to a bug that would allow attackers to spoof website addresses.

Independent security researcher Rafay Baloch spotted the vulnerability that could allow JavaScript to update the address bar while the page was still loading effectively causing the browser to display the intended address while loading content from the spoofed page.

“ Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by set Interval function managed to trigger address bar spoofing,” Baloch said in the post. “It causes browser to preserve the address bar and to load the content from the spoofed page.”

Microsoft has already taken action and patched the vulnerability (CVE-2018-8383) in its Edge browser but Safari remains vulnerable as Apple has yet to patch the spoofing flaw.

The vulnerability would allow an attacker to create fake login screens or other forms that could harvest usernames, passwords and other data from users who thought they were on a real landing page.

Baloch couldn’t explain why both the Apple and the Microsoft browser had the same vulnerability as each are closed-source and Google’s Chrome and Mozilla’s Firefox don’t share the flaw, however he speculated that its possibly be a result of when the browsers decide to display a page’s URL.  

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.