13 Sep 2018

A significant vulnerability was discovered in the Microsoft Edge web browser for Windows and Apple Safari for iOS, which could permit the attackers to spoof website addresses.

During the monthly security updates of August, Microsoft has fixed the address bar URL spoofing vulnerability last month, while Safari is still unpatched, possibly leaving Apple users vulnerable to phishing attacks.

Today’s phishing attacks are sophisticated and very difficult to detect and this newly discovered vulnerability takes it to another level that can avoid basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.

This flaw was discovered by Pakistan-based security researcher Rafay Baloch and the vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading.

How does the URL Spoofing Vulnerability Works?

The flaw could potentially allow an attacker to initially start loading a legitimate page, where the page address will be displayed in the URL bar, and then immediately replace the code in the web page with a malicious one.

Baloch has mentioned in his blog that “Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing.

It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”

The URL in the address bar remains the same and so this phishing attack would be difficult to detect even for an expert user.

By making use of this vulnerability, a hacker can spoof any web page like Gmail, Facebook, Twitter, or bank websites, and create fake login screens to steal credentials and other data from users, who see the legitimate domain in the address bar.

Baloch created a proof-of-concept (PoC) page to test the vulnerability, and observed that both Microsoft Edge and Apple Safari browsers allowed javascript to update the address bar while the page was still loading.

Proof-of Concept Video Demonstrations

Check the proof of concept videos for both Edge and Safari published by the researcher

 

However, Google Chrome and Mozilla Firefox web browsers are safe as they are not affected by this vulnerability.

Technical Writer,  Blogger,

Leave your thought

This site uses Akismet to reduce spam. Learn how your comment data is processed.