Security flaw left Safari and Edge users vulnerable to fake websites

Only Microsoft has issued a fix so far.

NurPhoto via Getty Images

A security researcher uncovered a flaw in both Safari and Microsoft's Edge browser that allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch spotted the security issue and notified Apple and Microsoft in early June. But while Microsoft issued a fix in August, Apple has yet to respond to Baloch's report.

"During my testing, it was observed that both Edge and Safari browser allowed JavaScript to update the address bar while the page was still loading," Baloch wrote on his website. "Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page."

Because of this, a user might click a link to an attack site, presenting itself as something else, and their browser's address bar would make it look like they're heading to a safe website. Baloch showed how this works in two proof-of-concept videos, one of which is included below. According to his website, Baloch waited the typical 90 days after notifying Apple and Microsoft before he released his report. We've reached out to Apple and we'll update this post if we receive any additional details.