There is a vulnerability in Safari that enables attacks to display correct URLs and fake login pages and extract personal information

by pixelcreatures

A vulnerability has been reported using Microsoft's Edge and Apple's Safari that allows you to "display the login page of fake while displaying the correct URL in the address bar and exploit personal information from users" . Edge is being addressed by Windows update in August, but Safari still remains vulnerable.

Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup - Miscellaneous Ramblings of A Ethical Hacker
https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html

Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs
https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html

Rafay Baloch, a security researcher living in Pakistan, pointed out that using a race condition "Once you display the official website URL in the address bar, then replace the URL during loading" The hacking method you can do is possible with Safari and Edge. While loading the page, changing the URL of the address bar by JavaScript, the URL displayed in the address bar does not change so you can move it to another page without user's notice.

What kind of hacking will be possible can be confirmed from the following movie.

Microsoft Edge Address Bar Spoofing Vulnerability By Rafay Baloch - YouTube


Opening the URL "http://sh3ifu.com/bt/Edge-Spoof.html" ......

The URL "https://www.gmail.com:8080/" will appear and Google's login screen will appear. However, actually the content displayed is "sh3ifu.com". This is a state in which requests are made from ports that do not exist and JavaScript changes the address bar to the URL of the fake page while the page is loaded. The delay caused by setInterval triggers it as if the page is already transitioning.

If you believe that you are a Google login page and enter your user name and password, you will be informed while you do not know.

Ultimately, it moves to a real login page and it will be "I found out that it was wrong?", But many people think that simply failed in login.

In addition, you can see the version using Safari from the following. Basically, in Safari typing can not be done while loading a page, but it is said that it is possible to input information by putting a fake keyboard on the page.

Safari Address Bar Spoofing Vulnerability By Rafay Baloch - YouTube


Microsoft solved this problem with the monthly update in August, but Apple has not distributed patches to Safari and the vulnerability is still left unattended.

According to Baloch, Google Chrome and Firefox have not found any vulnerability to enable such attacks.