An address-spoofing trick has been demonstrated by researchers in the latest version of Safari browser, which can be leveraged by attackers to point users to a malicious website while the address bar shows the string for a legitimate location.
The success of most cybercriminal activity is owed to the crooks' ability to dupe the victim into accessing fraudulent content. A vulnerability that allows them to maintain the appearance of a trusted location is bound to pique their interest.
Researcher makes available proof-of-concept code
Security researcher David Leo has found that the latest version of Safari is susceptible to the new spoofing method and published proof-of-concept code to demonstrate the flaw. The exploit works on iOS and OS X with the newest updates installed.
In the demo, Leo shows how arbitrary content is loaded in the browser, while the string in the address bar advertises that the page displayed is for dailymail.co.uk news outlet.
The exploit is not perfect, though. By keeping an eye on the address bar, users can catch a glimpse of the web address that is actually loaded. Nonetheless, there are few users that would actually watch the address bar when accessing a web resource and the information could easily pass unnoticed.
In early February, the researcher demonstrated a same-origin policy (SOP) bypass in Internet Explorer 11 running on Windows 7 and 8.1. The vulnerability has been eliminated by Microsoft since.
A good bait can make a load of victims
The risks involved by this type of attacks are obvious. Phishing attempts aiming at stealing login credentials for different online services are the most evident, but cybercriminals could also exploit the glitch to point unsuspecting users to websites serving malware.
All it takes to trick someone to access a fraudulent page is an email address or a phone number and the right bait.
Yesterday, we reported about crooks running a scam to harvest phone numbers by luring users with the promise of activation codes for video calls in WhatsApp messaging service. Spoofing the web address with the right content could make a large number of victims.