Safari for iOS URL spoofing exploit revealed, with no documented fix
A security researcher has revealed an issue that can allow website addresses to be spoofed in Safari for iOS and Microsoft's Edge browser, but while Microsoft has since fixed the flaw, it is unclear if Apple has updated Safari, potentially leaving the iOS browser vulnerable to attack.
Researcher Rafay Baloch explains the vulnerability involves a specially created webpage that would load one set of content while showing a specific URL in the address bar, then rewriting the code for the body of the page without updating the URL at all, reports The Register.
The spoofing flaw, now identified as CVE-2018-8383 in relation to Edge, allowed javascript to update the address bar while the page was loading, said Baloch. When data was requested from a "non-existent port," the address was preserved, and due to a "race condition over a resource requested from non-existent port combined with the delay induced by setInterval function," was able to be spoofed.
To end users, this could allow for a malicious page to show what appears to be a genuine website page, complete with what appears to be the correct URL. This could be employed in attacks where a fake log-in page for a service could be presented to the user, under the pretense that it is a real authentication request.
Due to the closed source nature of the browsers, it is unknown why Safari for iOS and Edge are affected by this issue, but Chrome and Firefox remain unaffected.
The vulnerability was reported to both Apple and Microsoft on June 2, with Baloch issuing a 90-day deadline to create a fix before publication, a typical policy by security researchers. On August 11, a reminder of the 90-day deadline was issued, with Microsoft then releasing a fix as part of August 14 "Patch Tuesday."
Baloch released details of the flaw on September 10, with Apple yet to have confirmed publicly or to the researcher that it has been repaired. As a result, Baloch is openly discussing the flaw, but will not publish proof-of-concept code until such a patch has been released.
AppleInsider has contacted Apple about the flaw and the status of an update to fix it.
Researcher Rafay Baloch explains the vulnerability involves a specially created webpage that would load one set of content while showing a specific URL in the address bar, then rewriting the code for the body of the page without updating the URL at all, reports The Register.
The spoofing flaw, now identified as CVE-2018-8383 in relation to Edge, allowed javascript to update the address bar while the page was loading, said Baloch. When data was requested from a "non-existent port," the address was preserved, and due to a "race condition over a resource requested from non-existent port combined with the delay induced by setInterval function," was able to be spoofed.
To end users, this could allow for a malicious page to show what appears to be a genuine website page, complete with what appears to be the correct URL. This could be employed in attacks where a fake log-in page for a service could be presented to the user, under the pretense that it is a real authentication request.
Due to the closed source nature of the browsers, it is unknown why Safari for iOS and Edge are affected by this issue, but Chrome and Firefox remain unaffected.
The vulnerability was reported to both Apple and Microsoft on June 2, with Baloch issuing a 90-day deadline to create a fix before publication, a typical policy by security researchers. On August 11, a reminder of the 90-day deadline was issued, with Microsoft then releasing a fix as part of August 14 "Patch Tuesday."
Baloch released details of the flaw on September 10, with Apple yet to have confirmed publicly or to the researcher that it has been repaired. As a result, Baloch is openly discussing the flaw, but will not publish proof-of-concept code until such a patch has been released.
AppleInsider has contacted Apple about the flaw and the status of an update to fix it.
Comments
It doesn't really bother me since I use Apps to access most of my services (instead of web pages). The few sites I do need to login I have bookmarked so I don't have to worry about the URL being incorrect. As a rule, I never log into anything where the URL comes from a link. I don't even bother reading the URL to see if it's valid - I assume it's not valid. So if I get an e-mail from my bank about something, I exit the e-mail and go to my banking App instead. Or I'll load the website from my saved bookmarks.
With all the scams over the years about spoofed website URLs I'm surprised anyone still opens links. But I guess many people still do, otherwise the crooks wouldn't keep trying.
https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html?m=1
So, in order to get spoofed you have to inject a fake keyboard into Safari for iOS. Cool...
I never give info on a website without checking the certificate first.
Click on the padlock and you can see the certificate.