Pakistani Hackers deface Indian website

A Pakistani cyber-security researcher, Rafay Baloch has revealed an address bar spoofing bug in the Apple Safari and Microsoft Edge browsers that allows any hacker to collect your information using a fake website address in disguise that looks just like a normal address apparently.

Mr. Baloch has been working on this for quite some time now and has earlier uncovered such security loopholes in Google Chrome and Mozilla Firefox as well, for which he was rewarded $5000.

How does Address Bar Spoofing Work?

According to his findings, since both Edge and Safari browser allow javascript to update the address bar while the page still loading, due to a race condition the address bar spoofing enable the attacker to load a real page whose address appears in the URL bar.

Once entered, the attacker quickly switches the code in the page to something malicious without changing the URL displayed in the address bar.

It creates a fake login screen and other pages which the users deem as real and can be used to harvest sensitive information like credit card info, usernames, passwords etc.

Both Microsoft and Apple were notified about the vulnerability in early June. Microsoft has identified the flaw as CVE-2018-8383 and has rolled out an update to fix the issue but Apple is still lingering behind.

Video Demo

Mr. Baloch. also provided demonstration videos for both the Apple Safari and Microsoft Edge. Notice how the login screen looks legit but is actually hosted by a malicious website named “sh3ifu.com”, while all the user can see is “www.gmail.com/8080”, a normal looking URL.

Microsoft Edge

 

Apple Safari

 

Leave a Reply

avatar
  Subscribe  
Notify of