Apple's Safari and Microsoft's Edge browsers contain spoofing bug

News by Robert Abel

Apple's Safari and Microsoft's Edge browser users are vulnerable to a bug that would allow attackers to spoof website addresses.

Apple’s Safari and Microsoft’s Edge browser users are vulnerable to a bug that would allow attackers to spoof website addresses.

Independent security researcher Rafay Baloch spotted the vulnerability that could allow JavaScript to update the address bar while the page was still loading effectively causing the browser to display the intended address while loading content from the spoofed page.

" Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by set Interval function managed to trigger address bar spoofing," Baloch said in the post. "It causes browsers to preserve the address bar and to load the content from the spoofed page."

Microsoft has already taken action and patched the vulnerability (CVE-2018-8383) in its Edge browser but Safari remains vulnerable as Apple has yet to patch the spoofing flaw.

The vulnerability would allow an attacker to create fake login screens or other forms that could harvest usernames, passwords and other data from users who thought they were on a real landing page.

Baloch couldn’t explain why both the Apple and the Microsoft browser had the same vulnerability as each are closed-source and Google’s Chrome and Mozilla’s Firefox don’t share the flaw, however he speculated that its possibly be a result of when the browsers decide to display a page’s URL.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events