Safari, Edge Browsers Said to Be Vulnerable to Address Bar Spoofing Issue; Apple Reportedly Yet to Fix Bug

Advertisement
By Sumit Chakraborty | Updated: 12 September 2018 18:39 IST
Highlights
  • Safari and Edge spoofing exploit revealed
  • Microsoft had released a fix as part of August 14 'Patch Tuesday'
  • Apple is yet to patch spoofing vulnerability
Safari, Edge Browsers Said to Be Vulnerable to Address Bar Spoofing Issue; Apple Reportedly Yet to Fix Bug

URL bar spoofing allows website addresses to be spoofed in Safari for iOS and Microsoft's Edge browser

Photo Credit: Rafay Baloch

A security researcher claims to have discovered an issue that can leave URLs to be spoofed in Safari for iOS and Microsoft Edge browser for Windows 10. While Microsoft has fixed the bug, Apple is yet to release a fix. The new address bar spoofing attack (CVE-2018-8383) that has been found uses phishing techniques that can reportedly bypass basic indicators like URL, which are the first checks to determine if a particular site is fake. The vulnerability was first reported to both the companies on June 2, with the researcher issuing a 90-day deadline to issue a fix before publication. Last month, a reminder of the 90-day deadline was issued, and Microsoft released a fix as part of August 14 'Patch Tuesday'.

Researcher Rafay Baloch explains the vulnerability as a race condition that can enable an attacker to loading a legitimate webpage, resulting in the page's address to appear in the address bar, then rewriting the code for the body of the page to something dangerous without updating the URL at all, reports The Register. This essentially has the potential to enable an attacker to create fake login screens or other forms that could be used in extracting usernames, passwords, and other personal user data, while the users think they were on a legit page.

Baloch explains, "During my testing, it was observed that upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing." He adds, "It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing."

Proof-of-concept videos for both the Edge browser (v42.17134.1.0) and Safari (iOS 11.3.1) were posted by Baloch on his site. It is interesting to note that since both the browsers are closed-source, there is no clarity on why Edge and Safari would be affected by the same issue, while Chrome or Firefox remain unaffected. As mentioned, Microsoft has already fixed the bug, but Baloch says Apple will fix it in an upcoming update.

 
Post your comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.

Further reading: Apple, Microsoft, Safari, Edge, Address Bar Spoofing
Plex Cloud Shutting Down on November 30 Citing Unmanageable Expenses
LG Display Struggles for Footing After LCD Forecasting Error Leads to Crisis
Advertisement

Related Stories

Tech News in Hindi »

More Technology News in Hindi »
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Nothing Phone 3 Price, Colour Options Tipped Ahead of Global Debut
  2. Realme C71 With 6,300mAh Battery Goes Official: Price, Specifications
  3. Samsung Galaxy Z Fold 7 Spotted on WPC Database With Qi2 Charging Support
  4. Google Pixel 10 Series Reportedly Set to Launch on August 20
  5. Vivo Y19s Pro With 6,000mAh Battery, 50-Megapixel Main Camera Launched
  6. Meta Aiming to Fully Automate Advertising With AI by 2026: Report
  7. Microsoft Bing Is Letting You Generate AI Videos Using Sora for Free
  8. Samsung Galaxy Ring 2 Said to Be in Development, but 2025 Launch Unlikely
#Latest Stories
  1. OpenAI Plans for All-Knowing ChatGPT Super Assistant Revealed in Internal Document
  2. Samsung Galaxy S25 Ultra Price in India Temporarily Cut by Rs. 12,000: Specifications, Features
  3. Elden Ring Nightreign Sells 3.5 Million Copies as FromSoftware Confirms Duos Mode Is on the Way
  4. Nothing Phone 3 Global Launch Date Set for July 1: Expected Specifications, Features
  5. Lava Storm Play 5G India Launch, Key Specifications Teased; Set to Debut Alongside Lava Storm Lite 5G
  6. Character.AI Unveils Video Generation Tool, Community Feed and Other Interactive Features
  7. Samsung Galaxy Z Fold 7 Spotted on WPC Database With Qi 2 Charging Support Like the Galaxy S25 Series
  8. OnePlus Ace 6, OnePlus Ace 6 Pro Tipped to Debut With Snapdragon 8 Series Chips
  9. Vivo Y19s Pro With 6,000mAh Battery, 50-Megapixel Rear Camera Launched: Price, Features
  10. Samsung Galaxy Ring 2 Reportedly in Development, but 2025 Launch Unlikely
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2025. All rights reserved.