Latest in Gear

Image credit:

Security flaw left Safari and Edge users vulnerable to fake websites

Only Microsoft has issued a fix so far.
Mallory Locklear, @mallorylocklear
September 12, 2018
Share
Tweet
Share

Sponsored Links

NurPhoto via Getty Images

A security researcher uncovered a flaw in both Safari and Microsoft's Edge browser that allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch spotted the security issue and notified Apple and Microsoft in early June. But while Microsoft issued a fix in August, Apple has yet to respond to Baloch's report.

"During my testing, it was observed that both Edge and Safari browser allowed JavaScript to update the address bar while the page was still loading," Baloch wrote on his website. "Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page."

Because of this, a user might click a link to an attack site, presenting itself as something else, and their browser's address bar would make it look like they're heading to a safe website. Baloch showed how this works in two proof-of-concept videos, one of which is included below. According to his website, Baloch waited the typical 90 days after notifying Apple and Microsoft before he released his report. We've reached out to Apple and we'll update this post if we receive any additional details.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
Tweet
Share

Popular on Engadget

Samsung, Stanford make a 10,000PPI display that could lead to 'flawless' VR

Samsung, Stanford make a 10,000PPI display that could lead to 'flawless' VR

View
Facebook will not ban Oculus owners with multiple VR headsets (updated)

Facebook will not ban Oculus owners with multiple VR headsets (updated)

View
LG unveils the first Tone Free wireless earphones with ANC

LG unveils the first Tone Free wireless earphones with ANC

View
Garmin smartwatches are on sale at all-time low prices at Amazon

Garmin smartwatches are on sale at all-time low prices at Amazon

View
GitHub takes down YouTube video download tools after an RIAA notice

GitHub takes down YouTube video download tools after an RIAA notice

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr