Safari for iOS URL spoofing exploit revealed, with no documented fix

Posted:
in iOS edited September 11
A security researcher has revealed an issue that can allow website addresses to be spoofed in Safari for iOS and Microsoft's Edge browser, but while Microsoft has since fixed the flaw, it is unclear if Apple has updated Safari, potentially leaving the iOS browser vulnerable to attack.




Researcher Rafay Baloch explains the vulnerability involves a specially created webpage that would load one set of content while showing a specific URL in the address bar, then rewriting the code for the body of the page without updating the URL at all, reports The Register.

The spoofing flaw, now identified as CVE-2018-8383 in relation to Edge, allowed javascript to update the address bar while the page was loading, said Baloch. When data was requested from a "non-existent port," the address was preserved, and due to a "race condition over a resource requested from non-existent port combined with the delay induced by setInterval function," was able to be spoofed.

To end users, this could allow for a malicious page to show what appears to be a genuine website page, complete with what appears to be the correct URL. This could be employed in attacks where a fake log-in page for a service could be presented to the user, under the pretense that it is a real authentication request.





Due to the closed source nature of the browsers, it is unknown why Safari for iOS and Edge are affected by this issue, but Chrome and Firefox remain unaffected.

The vulnerability was reported to both Apple and Microsoft on June 2, with Baloch issuing a 90-day deadline to create a fix before publication, a typical policy by security researchers. On August 11, a reminder of the 90-day deadline was issued, with Microsoft then releasing a fix as part of August 14 "Patch Tuesday."

Baloch released details of the flaw on September 10, with Apple yet to have confirmed publicly or to the researcher that it has been repaired. As a result, Baloch is openly discussing the flaw, but will not publish proof-of-concept code until such a patch has been released.

AppleInsider has contacted Apple about the flaw and the status of an update to fix it.

Comments

  • Reply 1 of 14
    I'll take a wild guess that it will be fixed tomorrow (?)
  • Reply 2 of 14
    That's a really scary spoof because I always check the URL when I am asked for credentials. Hope Apple fixes it asap.
    bonobobnapoleon_phoneapart
  • Reply 3 of 14
    netrox said:
    That's a really scary spoof because I always check the URL when I am asked for credentials. Hope Apple fixes it asap.

    It doesn't really bother me since I use Apps to access most of my services (instead of web pages). The few sites I do need to login I have bookmarked so I don't have to worry about the URL being incorrect. As a rule, I never log into anything where the URL comes from a link. I don't even bother reading the URL to see if it's valid - I assume it's not valid. So if I get an e-mail from my bank about something, I exit the e-mail and go to my banking App instead. Or I'll load the website from my saved bookmarks.

    With all the scams over the years about spoofed website URLs I'm surprised anyone still opens links. But I guess many people still do, otherwise the crooks wouldn't keep trying.
    racerhomie3dws-2mac_dogols
  • Reply 4 of 14
    Yesterday I was trying to shop on eBay (with my iPad Pro, iOS 11), but every time I arrived on the eBay search results page I was within seconds redirected (without clicking anything) to a fraudulent external website. I tried to tell ebay customer service what was happening, but the poor woman was completely out of her league and could only think in terms of helping a customer who doesn’t understand how to properly use eBay. It’s an interesting hack/exploit though. 
    PetrolDaveols
  • Reply 5 of 14
    Yesterday I was trying to shop on eBay (with my iPad Pro, iOS 11), but every time I arrived on the eBay search results page I was within seconds redirected (without clicking anything) to a fraudulent external website. I tried to tell ebay customer service what was happening, but the poor woman was completely out of her league and could only think in terms of helping a customer who doesn’t understand how to properly use eBay. It’s an interesting hack/exploit though. 
    Why not use the app?
    StrangeDays
  • Reply 6 of 14
    Safari browser had one constraint which did not allow users to type information into the input boxes while the page was in the loading state. However, we were able to circumvent this restriction by injecting a fake keyboard (which happens to be a very common practice in banking websites).”

    https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html?m=1

    So, in order to get spoofed you have to inject a fake keyboard into Safari for iOS. Cool...
    edited September 11
  • Reply 7 of 14
    I used automatic password fill in safari with keychain. Once I click on a link of a spam email and was directed to a spoof website (one small difference in the url), but autofill could not fill the password because I was not a the correct site. Does this spoofing technic can fool autofill ?  
    davgreg
  • Reply 8 of 14
    Yesterday I was trying to shop on eBay (with my iPad Pro, iOS 11), but every time I arrived on the eBay search results page I was within seconds redirected (without clicking anything) to a fraudulent external website. I tried to tell ebay customer service what was happening, but the poor woman was completely out of her league and could only think in terms of helping a customer who doesn’t understand how to properly use eBay. It’s an interesting hack/exploit though. 
    I would try closing your browser, then reopen it and clear your history in Safari. That has worked for me in the past on my iPad. 
  • Reply 9 of 14
    Use Cisco Umbrella to protect your selves in the meantime boys. 
    Apple security engineers are focusing on the new OS at the moment. Security update for Safari will come out eventually!
  • Reply 10 of 14
    Can it spoof the security certificate as well?
    I never give info on a website without checking the certificate first.
    Click on the padlock and you can see the certificate.
  • Reply 11 of 14
    netrox said:
    That's a really scary spoof because I always check the URL when I am asked for credentials. Hope Apple fixes it asap.

    It doesn't really bother me since I use Apps to access most of my services (instead of web pages). The few sites I do need to login I have bookmarked so I don't have to worry about the URL being incorrect. As a rule, I never log into anything where the URL comes from a link. I don't even bother reading the URL to see if it's valid - I assume it's not valid. So if I get an e-mail from my bank about something, I exit the e-mail and go to my banking App instead. Or I'll load the website from my saved bookmarks.

    With all the scams over the years about spoofed website URLs I'm surprised anyone still opens links. But I guess many people still do, otherwise the crooks wouldn't keep trying.
    This. Plus, what about the “lock” symbol - doesn’t that indicate a https connection which in the spoofing case would not be shown?
  • Reply 12 of 14
    Safari browser had one constraint which did not allow users to type information into the input boxes while the page was in the loading state. However, we were able to circumvent this restriction by injecting a fake keyboard (which happens to be a very common practice in banking websites).”

    https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html?m=1

    So, in order to get spoofed you have to inject a fake keyboard into Safari for iOS. Cool...
    I think you misunderstood the part about fake keyboard (or didn't read the description in parentheses).  The keyboard isn't injected into Safari app. It is part of the webpage.  Many banks do this on their webistes to defeat keyloggers, but in this case it works against Safari's security mechansim.

  • Reply 13 of 14
    urashid said:
    “Safari browser had one constraint which did not allow users to type information into the input boxes while the page was in the loading state. However, we were able to circumvent this restriction by injecting a fake keyboard (which happens to be a very common practice in banking websites).”

    https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html?m=1

    So, in order to get spoofed you have to inject a fake keyboard into Safari for iOS. Cool...
    I think you misunderstood the part about fake keyboard (or didn't read the description in parentheses).  The keyboard isn't injected into Safari app. It is part of the webpage.  Many banks do this on their webistes to defeat keyloggers, but in this case it works against Safari's security mechansim.

    Does it matter? Where it is injected was the joke part pointing to the vagueness of the “discovery”. Those Flash keyboards were once common in the early days of the Internet but today no one would build a security scheme that would depend solely on those creative keyboards.
    edited September 12
  • Reply 14 of 14
    Mandatory two-factor authentication implemented by the service you are attempting to access would ultimately protect you from this.
Sign In or Register to comment.