Thursday, May 21, 2015

Safari URL-spoofing Bug

Lucian Constantin:

The issue was discovered by security researcher David Leo, who published a proof-of-concept exploit for it. Leo’s demonstration consists of a Web page hosted on his domain that, when opened in Safari, causes the browser to display dailymail.co.uk in the address bar.

The ability to control the URL shown by the browser can, for example, be used to easily convince users that they are on a bank’s website when they are actually on a phishing page designed to steal their financial information.

[…]

That’s because the attack code is designed to redirect the browser to the spoofed URL, but before the content is loaded, the code reloads the current page.

1 Comment RSS · Twitter

Ben Kennedy

While not directly related, another URL-spoofing deficiency in Safari (although sadly by design) is the Google search takeover when the user enters several discrete terms into the URL bar. This has infuriated me since the beginning. It's rather the inverse, actually: Safari loads a Google page, and leaves the keywords showing in the bar, but a copy/paste of them actually copies the real Google search URL. What you see is not what you get.

Leave a Comment