Rafae Baloch, Security researcher discovered a vulnerability
with an old bug resides inside the safari web browser. The bug allows ‘bad
actor’ to spoof the URL of the webpage by malfunctioning a Java Script running
in the back ground. That bug is expected to perform a phishing attack which can
put a person in a serious trouble who won’t even realise the threat. The
program bug is said to be a race condition which is enabled with a Java Script
and change the URL even before the actual web page is loaded completely.
For exploiting this vulnerability, with tracking id CVE
2018-8383 attacker has to put the victim into trap by making a specially
designed site which should be similar and accomplished easily.
But the sad part is that, even after reporting the bug to
Apple and Microsoft they did not take any action on it even after three months
grace period of the CVE code is over.
However Microsoft released a patch with the August month
windows security update. But the deferral of Apple left the safari browser vulnerable,
which drives the hacker to impersonate a site with similar URL and
authentication.
During the Proof of Concept (POC), it has observed that page
could stack Gmail content where the code was hosted on sh3ifu.com. The code was
working perfectly but few components were observed as still loading state, demonstrating
that process it has a declared as an incomplete procedure.
According to Baloch, the main issue with the safari browser,
where user can’t type in the address field while the page is loading. But he
and his team resolved this issue by injecting a fake keyboard on the screen.
Later Apple confirms they will fix this issue and release
patch in their next security update.
0 comments:
Post a Comment