A security researcher uncovered a flaw in both Safari and Microsoft's Edge browser that allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch spotted the security issue and notified Apple and Microsoft in early June. But while Microsoft issued a fix in August, Apple has yet to respond to Baloch's report.
Because of this, a user might click a link to an attack site, presenting itself as something else, and their browser's address bar would make it look like they're heading to a safe website. Baloch showed how this works in two proof-of-concept videos, one of which is included below. According to his website, Baloch waited the typical 90 days after notifying Apple and Microsoft before he released his report. We've reached out to Apple and we'll update this post if we receive any additional details.