A security researcher discovered a security flaw with both Microsoft’s Edge browser and Apple’s Safari. However, more than three months after disclosing the flaw to both companies, only Microsoft has released a patch.
The flaw allows a malicious attacker to update the address bar of the browser before the webpage finishes loading. This could allow an attacker to display legitimate website names in the address bar.
This could allow attackers to masquerade fake sites as real ones to steal information. For example, creating a fake login screen to steal a user’s password.
The researcher, Rafay Baloch, says he reported the vulnerability to both companies on June 2nd and provided them with the customary 90-day timeline.
The 90-day timeline encourages companies to provide quick fixes for flaws. Baloch sent reminders to both companies on August 11th and 14th before the 90 days expired on August 31st.
Microsoft released its patch on the 14th of August.
How it works
According to Baloch, the exploit exists because Safari allows javascript to update the address bar while the page loads.
One obstacle for attackers is that the Safari browser doesn’t allow users to type information into input boxes while the site loads. However, this is easily avoided, according to Baloch, by building a fake keyboard into the website.
Baloch posted a video showing the exploit in action. In the video, you can see that the URL in the address bar changes quickly to ‘xyzbank.com.’
Baloch then loads up another page that shows information acquired from the fake login page. This includes device information and his username and password.
Since the 90 days has passed, Baloch shared the security flaw. However, he won’t disclose code revealing how to do it until Apple patches it — which, hopefully, will be sooner rather than later.
Source: Rafay Baloch Via: The Register, 9to5 Mac
