A significant vulnerability was discovered in the Microsoft Edge web browser for Windows and Apple Safari for iOS, which could permit the attackers to spoof website addresses.
During the monthly security updates of August, Microsoft has fixed the address bar URL spoofing vulnerability last month, while Safari is still unpatched, possibly leaving Apple users vulnerable to phishing attacks.
Today’s phishing attacks are sophisticated and very difficult to detect and this newly discovered vulnerability takes it to another level that can avoid basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.
How does the URL Spoofing Vulnerability Works?
The flaw could potentially allow an attacker to initially start loading a legitimate page, where the page address will be displayed in the URL bar, and then immediately replace the code in the web page with a malicious one.
Baloch has mentioned in his blog that “Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing.
It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”
The URL in the address bar remains the same and so this phishing attack would be difficult to detect even for an expert user.
By making use of this vulnerability, a hacker can spoof any web page like Gmail, Facebook, Twitter, or bank websites, and create fake login screens to steal credentials and other data from users, who see the legitimate domain in the address bar.
Proof-of Concept Video Demonstrations
Check the proof of concept videos for both Edge and Safari published by the researcher
However, Google Chrome and Mozilla Firefox web browsers are safe as they are not affected by this vulnerability.