Safari address-spoofing bug could be used in phishing, malware attacks

Posted on

From the department of things that aren’t what they seem, researchers have demonstrated a new address-spoofing exploit that tricks Safari users into thinking they’re visiting one site when in fact the Apple-made browser is connected to an entirely different address.

The recently published proof-of-concept exploit causes the Safari address bar to display dailymail.co.uk even though the browser is displaying content from deusen.co.uk. It works on fully patched versions of iOS and OS X. Malicious attackers might use the bug to dupe Safari users into thinking they’re connecting to a trusted site instead of one that’s phishing their login credentials or attempting to install malware.

Safari address-spoofing bug could be used in phishing, malware attacks
Safari address-spoofing bug could be used in phishing, malware attacks

The demo code isn’t perfect. On the iPad Mini Ars tested, the address bar periodically refreshed the address as the page appeared to reload. The behavior might tip off more savvy users that something is amiss. Still, many users would surely fail to spot the unusual refresh. What’s more, the refresh behavior wasn’t observed on a MacBook Pro Ars also tested.

Jeremiah Grossman, CTO of Web security firm White Hat Security, called the hack “clever.” Based on a quick analysis of the JavaScript the demo relies on, the page appears to force Safari to visit the dailymail URL, as is reflected in the browser’s user interface. Before the page can be loaded, the script quickly hits another URL. The script looks like this:

<script>
function f()
{
location="dailymail.co.uk/home/index.htm…"+Math.random();
}
setInterval("f()",10);
</script>

The vulnerability was uncovered by the same researchers who in February reported a bug in a

fully patched Internet Explorer version that put user credentials at risk.

Source:http://arstechnica.com/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s