An unpatched vulnerability that sits in the Safari web browser lets cybercriminals have the command over the content that gets displayed in the browser’s address bar, this pattern of attack permits expertly designed phishing attacks which are unlikely to be noticed by the users with an average IT IQ.
The bug discovered by a security researcher – later scrutinized to be of race condition type and the cause of its occurrence is said to be the action of JavaScript being allowed by the browser to update the address bar before a web page is done loading completely.
Fix- Owners are taking their time
Reportedly, the vulnerability was only susceptible to reproduction in Safari and Edge web browsers as done by Rafay Baloch (Security researcher), who immediately brought the risk to the notice of the makers of aforementioned browsers, but it was only Microsoft which responded with a patch on 14th August which came as a part of its periodic security updates release.
On 2nd June, Apple received a report regarding the bug, and a time span of 90 days to fix it before public disclosure which expired more than a week ago and there exists no patch for Safari yet.
Intellect and vision deluded
As of now, the vulnerability is tracked as CVE-2018-8383 and hasn’t received a severity score yet. In order to exploit it, tricking the victim in accessing a specially designed web page is a mandate and seemingly accomplishable.
"Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing," Rafay further explains in a blog post.
The attacker delays the update on the address bar which allows him to impersonate any webpage, meanwhile the address bar continues displaying the legitimate domain name to the victim, complete and equipped with the authentication marks at all the right places.
BleepingComputer tested the bug on iOS with a proof-of-concept (PoC) page set up by the researcher. The page is designed to load content from gmail[.]com that is hosted on sh3ifu[.]com, and it all works seamlessly.
Even an expert’s eye can be befooled despite the presence of certain elements that are likely to deceive suspicious activity. For example, the webpage loading wheel and the bar both are visible, signifying the unfinished process.
However, a lot of websites witness this as the background components have a lower priority score while the page is being loaded. Users tap into ‘log in’ field without reading anything into that.
The users of Safari cannot access the typing field while the status of the page is still ‘loading’ and this is where the whole problem is based. Similar to what banking Trojans did for years, Baloch said that he along with his team made past this hurdle by injecting a fake keyboard on the screen.
According to the reports, a fix would be released by Apple in their next set of security updates.
