Apple’s Safari and Microsoft’s Edge browser users are vulnerable to a bug that would allow attackers to spoof website addresses.
" Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by set Interval function managed to trigger address bar spoofing," Baloch said in the post. "It causes browsers to preserve the address bar and to load the content from the spoofed page."
Microsoft has already taken action and patched the vulnerability (CVE-2018-8383) in its Edge browser but Safari remains vulnerable as Apple has yet to patch the spoofing flaw.
The vulnerability would allow an attacker to create fake login screens or other forms that could harvest usernames, passwords and other data from users who thought they were on a real landing page.
Baloch couldn’t explain why both the Apple and the Microsoft browser had the same vulnerability as each are closed-source and Google’s Chrome and Mozilla’s Firefox don’t share the flaw, however he speculated that its possibly be a result of when the browsers decide to display a page’s URL.