November 25, 2018

Vulnerabilty has been discovered in safari browser which leads URL spoofing






Rafae Baloch, Security researcher discovered a vulnerability with an old bug resides inside the safari web browser. The bug allows ‘bad actor’ to spoof the URL of the webpage by malfunctioning a Java Script running in the back ground. That bug is expected to perform a phishing attack which can put a person in a serious trouble who won’t even realise the threat. The program bug is said to be a race condition which is enabled with a Java Script and change the URL even before the actual web page is loaded completely.

For exploiting this vulnerability, with tracking id CVE 2018-8383 attacker has to put the victim into trap by making a specially designed site which should be similar and accomplished easily. 

But the sad part is that, even after reporting the bug to Apple and Microsoft they did not take any action on it even after three months grace period of the CVE code is over. 

However Microsoft released a patch with the August month windows security update. But the deferral of Apple left the safari browser vulnerable, which drives the hacker to impersonate a site with similar URL and authentication.

During the Proof of Concept (POC), it has observed that page could stack Gmail content where the code was hosted on sh3ifu.com. The code was working perfectly but few components were observed as still loading state, demonstrating that process it has a declared as an incomplete procedure.

According to Baloch, the main issue with the safari browser, where user can’t type in the address field while the page is loading. But he and his team resolved this issue by injecting a fake keyboard on the screen. 

Later Apple confirms they will fix this issue and release patch in their next security update.


   

0 comments:

Post a Comment