Connect with us

Hi, what are you looking for?



Address Bar Spoofing Flaw Found in Edge, Safari

A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.

Pakistan-based security researcher Rafay Baloch has identified several SOP bypass and address bar spoofing flaws in the past years. This week, he reported finding another spoofing bug that affects Safari on iOS and Edge.

“During my testing, it was observed that both Edge and Safari browsers allowed JavaScript to update the address bar while the page was still loading,” Baloch explained in a blog post. “Upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from a non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will eventually load the resource, however the delay induced with the setInterval function would be enough to trigger the address bar spoofing.”

Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft, which tracks the flaw as CVE-2018-8383, fixed the issue with its Patch Tuesday updates for August 2018.

“A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” Microsoft said in its advisory.

Microsoft has classified the flaw as “important,” but assigned it an “Exploitation More Likely” rating in its exploitability assessment. The company has credited Baloch and several others for reporting this flaw.

In the case of Safari for iOS, Baloch said the browser does not allow users to type information into input boxes while the page is still loading – this would normally prevent the spoofing attack – but the restriction can be bypassed by injecting a keyboard into the fake page.

Advertisement. Scroll to continue reading.

Apple has yet to release a patch. The company was given 90 days to address the issue before its existence was made public, but it did promise to include a fix in an upcoming update of the browser.

The researcher has published videos showing how the attack works against each browser. Proof-of-concept (PoC) code has also been made available for Microsoft Edge.

Related: Address Bar Spoofing Bugs Found in Safari, Chrome for Android

Related: “Wavethrough” Bug in Microsoft Edge Leaks Sensitive Information

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.