A Pakistani cyber-security researcher, Rafay Baloch has revealed an address bar spoofing bug in the Apple Safari and Microsoft Edge browsers that allows any hacker to collect your information using a fake website address in disguise that looks just like a normal address apparently.
Mr. Baloch has been working on this for quite some time now and has earlier uncovered such security loopholes in Google Chrome and Mozilla Firefox as well, for which he was rewarded $5000.
How does Address Bar Spoofing Work?
Once entered, the attacker quickly switches the code in the page to something malicious without changing the URL displayed in the address bar.
It creates a fake login screen and other pages which the users deem as real and can be used to harvest sensitive information like credit card info, usernames, passwords etc.
Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft has identified the flaw as CVE-2018-8383 and has rolled out an update to fix the issue but Apple is still lingering behind.
Mr. Baloch. also provided demonstration videos for both the Apple Safari and Microsoft Edge. Notice how the login screen looks legit but is actually hosted by a malicious website named “sh3ifu.com”, while all the user can see is “www.gmail.com/8080”, a normal looking URL.