Latest in Gear

Image credit: NurPhoto via Getty Images

Security flaw left Safari and Edge users vulnerable to fake websites

Only Microsoft has issued a fix so far.
181 Shares
Share
Tweet
Share
Save

Sponsored Links

NurPhoto via Getty Images

A security researcher uncovered a flaw in both Safari and Microsoft's Edge browser that allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay Baloch spotted the security issue and notified Apple and Microsoft in early June. But while Microsoft issued a fix in August, Apple has yet to respond to Baloch's report.

"During my testing, it was observed that both Edge and Safari browser allowed JavaScript to update the address bar while the page was still loading," Baloch wrote on his website. "Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page."

Because of this, a user might click a link to an attack site, presenting itself as something else, and their browser's address bar would make it look like they're heading to a safe website. Baloch showed how this works in two proof-of-concept videos, one of which is included below. According to his website, Baloch waited the typical 90 days after notifying Apple and Microsoft before he released his report. We've reached out to Apple and we'll update this post if we receive any additional details.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
181 Shares
Share
Tweet
Share
Save

Popular on Engadget

The best mobile devices for students

The best mobile devices for students

View
YouTube pulls hundreds of channels tied to Hong Kong influence campaign

YouTube pulls hundreds of channels tied to Hong Kong influence campaign

View
'Fortnite' finally nerfs the hated B.R.U.T.E. mechs

'Fortnite' finally nerfs the hated B.R.U.T.E. mechs

View
After a year of Epic Games exclusivity, ‘Hades’ heads to Steam Early Access

After a year of Epic Games exclusivity, ‘Hades’ heads to Steam Early Access

View
Porsche streamlines the Taycan EV’s infotainment system

Porsche streamlines the Taycan EV’s infotainment system

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr