Security researcher Rafay Baloch, who has previously uncovered various address bar spoofing techniques affecting modern browsers, has disclosed yet another such vulnerability affecting Safari and Edge browser. While Microsoft was quick to react and has patched the bug in August, Apple is still taking the time to address it, meaning that the bug is left unpatched in Safari. The unpatched condition could allow an attacker to take control over the content displayed in the address bar. From here on, the attacker can orchestrate various phishing attacks.
Bug Tracked as CVE-2018-8383 in Edge
- Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing.
- The bug also causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will still load the resource at some point. It should be noted that the delay induced with setInterval function would be enough to trigger the address bar spoofing, the researcher added.
Still No Fix from Apple
Apparently, the researcher notified both Microsoft and Apple, but for now only Microsoft has released a patch. Apple was notified about it via a bug report sent on June 2, and it had 90 days to fix the bug before it went public. However, this period has now expired, and no solution for the Safari browser has been provided by the company. This delay for the underlying patch opens up a window of opportunity for attackers to exploit the bug. The bug gives the opportunity for threat actors to impersonate any web page, thus tricking the victim that the domain in address bar is legitimate.
Let’s hope that Apple will release patch as soon as possible.