Safari, Edge Browsers Said to Be Vulnerable to Address Bar Spoofing Issue; Apple Reportedly Yet to Fix Bug

Advertisement
By Sumit Chakraborty | Updated: 12 September 2018 18:39 IST
Highlights
  • Safari and Edge spoofing exploit revealed
  • Microsoft had released a fix as part of August 14 'Patch Tuesday'
  • Apple is yet to patch spoofing vulnerability

URL bar spoofing allows website addresses to be spoofed in Safari for iOS and Microsoft's Edge browser

Photo Credit: Rafay Baloch

A security researcher claims to have discovered an issue that can leave URLs to be spoofed in Safari for iOS and Microsoft Edge browser for Windows 10. While Microsoft has fixed the bug, Apple is yet to release a fix. The new address bar spoofing attack (CVE-2018-8383) that has been found uses phishing techniques that can reportedly bypass basic indicators like URL, which are the first checks to determine if a particular site is fake. The vulnerability was first reported to both the companies on June 2, with the researcher issuing a 90-day deadline to issue a fix before publication. Last month, a reminder of the 90-day deadline was issued, and Microsoft released a fix as part of August 14 'Patch Tuesday'.

Researcher Rafay Baloch explains the vulnerability as a race condition that can enable an attacker to loading a legitimate webpage, resulting in the page's address to appear in the address bar, then rewriting the code for the body of the page to something dangerous without updating the URL at all, reports The Register. This essentially has the potential to enable an attacker to create fake login screens or other forms that could be used in extracting usernames, passwords, and other personal user data, while the users think they were on a legit page.

Baloch explains, "During my testing, it was observed that upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing." He adds, "It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing."

Advertisement

Proof-of-concept videos for both the Edge browser (v42.17134.1.0) and Safari (iOS 11.3.1) were posted by Baloch on his site. It is interesting to note that since both the browsers are closed-source, there is no clarity on why Edge and Safari would be affected by the same issue, while Chrome or Firefox remain unaffected. As mentioned, Microsoft has already fixed the bug, but Baloch says Apple will fix it in an upcoming update.

 
Post your comments

Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.

Further reading: Apple, Microsoft, Safari, Edge, Address Bar Spoofing
Plex Cloud Shutting Down on November 30 Citing Unmanageable Expenses
LG Display Struggles for Footing After LCD Forecasting Error Leads to Crisis
Advertisement

Related Stories

Apple Asks Delhi High Court to Stop Competition Commission of India From Seeking Its Financials
22 January 2026
Apple Could Turn Siri Into an AI Chatbot to Rival OpenAI, Google: Report
22 January 2026
Apple Is Reportedly Developing a Camera-Fitted AI Pin, Home Hub With Robotic Base
22 January 2026
iPhone 18 Tipped to Launch With Brighter Display, BOE May Lose Supplier Role
22 January 2026
Apple Pay Reportedly Likely to Launch in India Soon; iPhone Maker Said to Be in Talks With Card Networks
21 January 2026
Popular on Gadgets
Latest Gadgets
Popular Mobile Brands
#Trending Stories
  1. Dhurandhar OTT Release Date Update: When and Where to Watch it Online?
  2. YouTube Takes on OpenAI's Sora With AI-Generated Shorts Feature
  3. Realme Neo 8 Launched With 8,000mAh Battery: See Price, Features
  4. OnePlus 15T Spotted on Certification Site, Charging Details Revealed
  5. Apple Could Turn Siri Into an AI Chatbot to Rival OpenAI, Google
  6. OnePlus Nord 6 Arrives on Geekbench With These Key Specifications
  7. OTT Releases This Week: Tere Ishk Mein, Mastiii 4, Sirai, Mario, Steal, and More
  8. Samsung Galaxy S26+ Might Not Arrive With a Charging Upgrade
  9. Vivo V70 FE Secures TRDA Certification, Could Launch Soon
  10. Thadayam OTT Release Details Revealed Online: Know Everything About This Upcoming Crime Th
#Latest Stories
  1. NASA Selects Three New Lunar Science Instruments for Artemis Moon Missions
  2. NASA Astronaut Sunita Williams Retires After 27 Years of Space Service
  3. Realme Neo 8 Launched With Snapdragon 8 Gen 5 Chip, 8,000mAh Battery: Price, Features
  4. Apple Asks Delhi High Court to Stop Competition Commission of India From Seeking Its Financials
  5. Amazon Great Republic Day Sale: Top Last Minute Deals on Smartphones, Smart TVs and Home Appliances
  6. Amazon Great Republic Day Sale: Best Deals on Robot Vacuum Cleaners
  7. OnePlus 15T Lands on 3C Certification Database Ahead of Launch in China: Expected Specifications
  8. Crimson Desert Has Officially Gone Gold, Launch Set for March 19
  9. Acer Chromebook Spin 311, Chromebook 311 Launched With MediaTek Kompanio 540 CPU: Price, Features
  10. Samsung Galaxy S26+ Bags 3C Certification; Might Not Launch With Charging Upgrade
Gadgets 360 is available in
Follow Us
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.