“During my testing, it was observed that both Edge and Safari browser allowed JavaScript to update the address bar while the page was still loading,” Baloch wrote on his website. “Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page.”
Because of this, a user might click a link to an attack site, presenting itself as something else, and their browser’s address bar would make it look like they’re heading to a safe website. Baloch showed how this works in two proof-of-concept videos, one of which is included below. According to his website, Baloch waited the typical 90 days after notifying Apple and Microsoft before he released his report. We’ve reached out to Apple and we’ll update this post if we receive any additional details.
No comments: