|
|
| Graphic for illustration |
On Tuesday, cybersecurity researchers unveiled a significant address bar spoofing vulnerability that impacts various mobile browsers, including Apple Safari and Opera Touch. This flaw poses a substantial risk, enabling attackers to launch spear-phishing campaigns and disseminate malware.
Other affected browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser. The vulnerabilities were identified by Rafay Baloch, a security researcher from Pakistan, during the summer of 2020 and were jointly reported with cybersecurity firm Rapid7 in August. Over recent weeks, browser developers have begun to address the vulnerabilities.
As of now, UCWeb and Bolt Browser have yet to implement a fix, while Opera Mini is expected to deliver a patch by November 11, 2020. The underlying issue arises from a technique that utilizes malicious JavaScript code hosted on a deceptive website, manipulating the browser to alter the displayed URL in the address bar while a page is still in the process of loading.
|
|
| Original PoC demo |
In a technical analysis, Baloch stated, “The vulnerability arises when Safari retains the browser’s address bar for URLs requested over arbitrary ports. The set interval function reloads bing.com:8080 at intervals of 2 milliseconds, preventing users from recognizing the redirection from the original to the spoofed URL.” He pointed out that by default, Safari conceals port numbers unless a user explicitly focuses on the URL.
This means that an attacker can create a malicious website and entice targets to click on a link in a spoofed email or message, potentially leading them to download malware or compromise their credentials.
The research also revealed that the macOS version of Safari shares the same vulnerability, which was recently patched in the Big Sur macOS update. Additionally, this is not the first instance where such a flaw has been recorded in Safari. In 2018, Baloch identified a similar address bar spoofing issue that allowed the browser to retain the address bar content while loading from a malicious source due to JavaScript timing delays.
Baloch emphasized the escalating sophistication of spear-phishing attacks and the potential for exploitation of browser vulnerabilities such as address bar spoofing to significantly increase the effectiveness of such attacks. He noted that when the address bar seemingly points to a legitimate site, it is straightforward to deceive users into unwittingly providing credentials or downloading malicious software, thereby evading many anti-phishing measures.