What do you normally do to make sure that the link you’re going to click on is actually “real” and not malicious? Most likely what most people do: You click on it, check the browser address bar to see if it is indeed sending you where you want to go, and relax.
But wait – if you use Safari as your main browser on your iPhone this might not be your best option right now. A security researcher has recently discovered a vulnerability in Apple’s web browser that allows attackers to control what exactly is displayed in the address bar.
Is the URL fake or isn’t it?
Security researcher Raday Baloch has discovered a couple of address bar spoofing techniques that work in Safari and the Edge browser. The attack is described as a race condition and works as following: A user is tricked into clicking on a malicious link. Past experience shows that this can be achieved rather easily. Now the fake page quickly starts loading a legit page to make sure that the correct link appears in the address bar of the browser. Before it can finish, the site that is being displayed is switched though, and users are presented with a fake page but a “real” URL.
Issue not yet fixed on Safari
Microsoft addressed the issue pretty fast and released a patch already on August 14th, so if you are an Edge user and update your OS and apps regularly you should be fine. Apple on the other hand has yet to provide its browser with a fix. That basically means that Safari users need to be extra careful right now: If you want to log into a page that holds sensitive information enter the URL yourself.
This post is also available in: German