Microsoft's Edge was also exposed but got patched

Sep 11, 2018 14:53 GMT  ·  By

Microsoft has patched an address bar spoofing bug in its Edge web browser, while Apple still has to follow suit patching its iOS web browser after receiving a report on the issue on June 2.

Researcher Rafay Baloch disclosed the address spoofing bug on his website on September 10, after first sending a 90 days deadline reminder on August 11.

Microsoft promptly responded with a bug fix on August 14, but Apple failed to patch the vulnerability available in the Safari web browser pre-installed on iOS 11.3.1. This might be due to the fact the Cupertino company will include the fix within the next iOS release, as it usually does.

Baloch detailed the steps necessary to reproduce the bug in his writeup, first linking a proof of concept HTML file which points the vulnerable browser to https://www.gmail.com:8080/, although the content is hosted on a completely unrelated domain.

The proof of concept works because the vulnerable browser will allow a maliciously crafted JavaScript-based script to update the contents of the address bar before and while the web page is still loading.

Address bar spoofing bugs can be very effective especially in mobile environments

The attacker can add a delay using the setInterval JavaScript function and combine it with a race condition triggered by requesting data from a non-existent port to effectively trigger the address bar spoofing event.

The security researcher says in his post that the PoC "causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing."

Although not very impressive from a technical point of view, address bar spoofing bugs can lead to loss of highly sensitive information if a target visits a maliciously crafted web page which collects and exfiltrates the data to the attacker.

This happens because spoofed address bars are almost impossible to differentiate from the real thing, especially on mobile web browsers such as Apple's Safari for iOS.

Security researcher Rafay Baloch also provided a video demo for the address bar spoofing bug affecting Apple's Safari on iOS :