Address Bar Spoofing Flaw Found in Edge, Safari
12.9.2018 securityweek Vulnerebility
A researcher has discovered an address bar spoofing vulnerability in the Microsoft Edge and Apple Safari web browsers, but a patch is currently only available for the former.
Pakistan-based security researcher Rafay Baloch has identified several SOP bypass and address bar spoofing flaws in the past years. This week, he reported finding another spoofing bug that affects Safari on iOS and Edge.
“During my testing, it was observed that both Edge and Safari browsers allowed JavaScript to update the address bar while the page was still loading,” Baloch explained in a blog post. “Upon requesting data from a non-existent port the address was preserved and hence due to a race condition over a resource requested from a non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will eventually load the resource, however the delay induced with the setInterval function would be enough to trigger the address bar spoofing.”
Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft, which tracks the flaw as CVE-2018-8383, fixed the issue with its Patch Tuesday updates for August 2018.
“A spoofing vulnerability exists when Microsoft Edge does not properly parse HTTP content. An attacker who successfully exploited this vulnerability could trick a user by redirecting the user to a specially crafted website. The specially crafted website could either spoof content or serve as a pivot to chain an attack with other vulnerabilities in web services,” Microsoft said in its advisory.
Microsoft has classified the flaw as “important,” but assigned it an “Exploitation More Likely” rating in its exploitability assessment. The company has credited Baloch and several others for reporting this flaw.
In the case of Safari for iOS, Baloch said the browser does not allow users to type information into input boxes while the page is still loading – this would normally prevent the spoofing attack – but the restriction can be bypassed by injecting a keyboard into the fake page.
Apple has yet to release a patch. The company was given 90 days to address the issue before its existence was made public, but it did promise to include a fix in an upcoming update of the browser.
The researcher has published videos showing how the attack works against each browser. Proof-of-concept (PoC) code has also been made available for Microsoft Edge.