Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Address Bar Spoofing Flaw Found in Edge, Safari

A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

Pakistan-based security researcher Rafay Baloch has identified several SOP bypass and address bar spoofing flaws in the past years. This week, he reported finding another spoofing bug that affects Safari on iOS and Edge.

“During my testing, it was observed that both Edge and Safari browsers allowed JavaScript to update the address bar while the page was still loading,” Baloch explained in a blog post. “Upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from a non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will eventually load the resource, however the delay induced with the setInterval function would be enough to trigger the address bar spoofing.”

Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft, which tracks the flaw as CVE-2018-8383, fixed the issue with its Patch Tuesday updates for August 2018.

“A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” Microsoft said in its advisory.

Microsoft has classified the flaw as “important,” but assigned it an “Exploitation More Likely” rating in its exploitability assessment. The company has credited Baloch and several others for reporting this flaw.

In the case of Safari for iOS, Baloch said the browser does not allow users to type information into input boxes while the page is still loading – this would normally prevent the spoofing attack – but the restriction can be bypassed by injecting a keyboard into the fake page.

Apple has yet to release a patch. The company was given 90 days to address the issue before its existence was made public, but it did promise to include a fix in an upcoming update of the browser.

Advertisement. Scroll to continue reading.

The researcher has published videos showing how the attack works against each browser. Proof-of-concept (PoC) code has also been made available for Microsoft Edge.

Related: Address Bar Spoofing Bugs Found in Safari, Chrome for Android

Related: “Wavethrough” Bug in Microsoft Edge Leaks Sensitive Information

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.