Safari: URL-Spoofing via Javascript

What do you normally do to make sure that the link you’re going to click on is actually “real” and not malicious? Most likely what most people do: You click on it, check the browser address bar to see if it is indeed sending you where you want to go, and relax.

But wait – if you use Safari as your main browser on your iPhone this might not be your best option right now. A security researcher has recently discovered a vulnerability in Apple’s web browser that allows attackers to control what exactly is displayed in the address bar.

Is the URL fake or isn’t it?

Security researcher Raday Baloch has discovered a couple of address bar spoofing techniques that work in Safari and the Edge browser. The attack is described as a race condition and works as following: A user is tricked into clicking on a malicious link. Past experience shows that this can be achieved rather easily. Now the fake page quickly starts loading a legit page to make sure that the correct link appears in the address bar of the browser. Before it can finish, the site that is being displayed is switched though, and users are presented with a fake page but a “real” URL.

This is only possible because some browser, in this case Edge and Safari (for iOS), allow Javascript to update the address bar while the page is still loading. In the end it causes browsers to keep what’s in the address bar but load an entirely different most likely malicious content. Take a look at the video to see how easy unaware users can be tricked into giving away their login credentials:

Please accept personalization cookies to watch this video.

Issue not yet fixed on Safari

Microsoft addressed the issue pretty fast and released a patch already on August 14th, so if you are an Edge user and update your OS and apps regularly you should be fine. Apple on the other hand has yet to provide its browser with a fix. That basically means that Safari users need to be extra careful right now: If you want to log into a page that holds sensitive information enter the URL yourself.

This post is also available in: German

PR & Social Media Manager @ Avira |Gamer. Geek. Tech addict.