Your Apple Safari browser may be affected by address bar spoofing flaw, security researchers say. As a result of it, you may be targeted by spear-phishing attacks and malware.
According to research, an address bar spoofing flaw affects several mobile browsers, including Apple Safari, Opera Touch, UCWeb, Bolt Browser, Yandex Browser, and RITS Browser. The discovery comes from Pakistani researcher Rafay Baloch and cybersecurity firm Rapid7. Note that UCWeb and Bolt are still unpatched, while Opera Mini should be fixed on November 11, 2020.
Where does the address bar spoofing flaw reside?
Originally discovered in Safari for both iOS and Mac, the flaw “occurs due to Safari preserving address bar of the URL when requested over an arbitrary port,” as Baloch explained. The issue is caused by using malicious executable JavaScript code on a random website. The code makes the browser update the address while the page loads to another address chosen by the attackers.
Rafay also says that the address bar spoofing flaw is more effective in Safari by default, as the browser doesn’t reveal the port number in the URL “unless and until focus is set via cursor.”
In other words, threat actors can arrange a malicious website and trick the victim into opening the link sent in a spoofed email or text message. This action would take the potential victim to malware or would steal their credentials.
It is also noteworthy that Safari on macOS is also vulnerable to this flaw. Fortunately, the bug was fixed in a Big Sur macOS update last week.
Baloch discovered similar spoofing flaw in 2018
This is not the first time Rafay Baloch discovers address bar spoofing flaws in popular browsers. In 2018, the researcher reported that both Microsoft Edge and Safari contained an address bar spoofing vulnerability. The statement was made after he tested the browsers with proof-of-concept JavaScript code.
The tests indicated that upon a non-existent port request, a race condition was triggered in the memory process allowing malicious code to spoof the address. Following the report, a security advisory was assigned, and the two companies were notified. The issue was tracked in CVE-2018-8383 advisory.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: