APPLE’s WebBrowser: Safari - Vulnerable to URL Spoofing

The latest versions of Safari for Mac OS X and iOS are vulnerable to a URL-spoofing exploit that could allow hackers to launch credible phishing attacks.

A group of researchers, known as Deusen, has demonstrated how the address spoofing vulnerability could be exploited by hackers to fool victim into thinking they are visiting a trusted website when actually the Safari browser is connected to an entirely different address.

The ability to control the URL shown by the browser can, for example, be used to easily convince users that they are on a bank’s website when they are actually on a phishing page designed to steal their financial information.

The vulnerability was discovered by the same group who reported a Universal Cross Site Scripting (XSS) flaw in all the latest patched versions of Microsoft’s Internet Explorer in February this year that put IE users’ credentials and other sensitive information at risk.

The group recently published a proof-of-concept exploit code that makes the Safari web browser to display the Daily Mail's website (dailymail.co.uk) although the browser is displaying the contents from deusen.co.uk.

The exploit was tested successfully on an up-to-date MacBook Pro running OS X 10.10.3 and Safari 8.0.6, as well as on an iPhone 5S with iOS 8.3.

The vulnerability could be exploited by hackers to launch highly credible phishing attacks or hijack users’ accounts on any website.

Instead of Daily Mail website, a hacker could use a bank website and then inject a rogue form asking the user for private financial information.

Based on a quick analysis, the demo page appears to force Safari user to visit the daily mail URL, as you can see in the browser's user interface. The script quickly loads another URL before the page can be loaded.

The script looks like the following:

<script> function f() { location="dailymail.co.uk/home/index.htm…"+Math.random(); } setInterval("f()",10); </script>

At this point, Apple has not confirmed that whether the vulnerability is actively exploited by the cyber criminals in the wild. However, Apple has yet to comment on the issue.