A security researcher who found a security hole in Safari says that Apple has still not fixed it, more than three months after he informed the company. The same vulnerability was present in Microsoft’s Edge browser, but the company issued a patch a month ago …
The flaw results in Safari showing the URL of a safe website like gmail.com while the user has in fact been sent to an attack site.
Rafay Baloch posted a video (below) with proof that the vulnerability could be exploited. It relies on a standard phishing technique, where an email presents a safe URL but the link itself sends you somewhere else. Usually, you’d be able to spot this from Safari’s address bar, but the exploit allows a bad site to ensure the safe URL is displayed despite the fact that you’re on a phishing site.
In the example given, Safari’s address bar displays the URL of a bank website while the visitor is actually on a completely different server.
The exploit is possible because Safari allows the address bar to be updated by Javascript while the page is still loading. So the attacker would direct you to their malicious site and then update the address bar to show the name of the safe one.
With Safari, there is one further challenge for an attacker to overcome, but Baloch’s video shows that this can be achieved.
The Register reports that Baloch waited the normal 90 days after advising Apple before releasing details of the exploit. This time window is designed to encourage companies to promptly close security holes once they have been informed of them.
