Some of the most popular web browsers on the planet were recently discovered to have an acute security issue.
If exploited, it allowed a potential hacker to get your usernames and passwords with ease without triggering any anti-malware service, or any browser security, as it merely used the browser’s very own component – the address bar, the text box where you input a website before visiting it.
This flaw was discovered in Microsoft Edge and Apple’s Safari browser by Rafay Baloch, a Pakistani Cyber Security specialist, who managed to find vulnerabilities in some top-end software.
Microsoft Edge comes by default in most Windows devices and Apple Safari, too, is a default browser that is used in almost ever Apple-made smart device, including iPhones, iPads, and even Macbooks.
Address Bar Spoofing – How it Works
Rafay Baloch wrote in his article that an address bar can be used to easily breach someone’s privacy, without them noticing it. The reason this is possible is because an address bar is the only reliable indicator for security in new browsers, as it displays the site’s URL and other details related to the webpage you are on.
But what if this very address bar gets manipulated? It could be used to trick users to supply their sensitive data, such as credentials, passwords, and even credit card numbers to a malicious website without them even noticing it. The cyber security researcher wrote,
If the only reliable security indicator could be controlled by an attacker it could carry adverse effects. For instance, potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.
Check out Mr. Baloch’s demonstrations in his videos:
Microsoft Edge
ARVE Error: src mismatchprovider: youtube
url: https://www.youtube.com/watch?v=Ni2XzF5-ixY
src in org: https://www.youtube-nocookie.com/embed/Ni2XzF5-ixY?feature=oembed&modestbranding=0&showinfo=0&rel=0&autoplay=1
src in mod: https://www.youtube-nocookie.com/embed/Ni2XzF5-ixY?modestbranding=0&showinfo=0&rel=0&autoplay=1
src gen org: https://www.youtube-nocookie.com/embed/Ni2XzF5-ixY
Apple Safari
ARVE Error: src mismatchprovider: youtube
url: https://www.youtube.com/watch?v=dGJSsK55nfQ
src in org: https://www.youtube-nocookie.com/embed/dGJSsK55nfQ?feature=oembed&modestbranding=0&showinfo=0&rel=0&autoplay=1
src in mod: https://www.youtube-nocookie.com/embed/dGJSsK55nfQ?modestbranding=0&showinfo=0&rel=0&autoplay=1
src gen org: https://www.youtube-nocookie.com/embed/dGJSsK55nfQ
So, if you noticed, the URL on the top of the browser in the address bar reads “www.gmail.com/8080”, even though the webpage is actually hosted by a malicious “sh3ifu.com”. This technique masked the actual intent of the malicious website, by tricking the address bar into displaying a different web address.
The issue has been tended to in Microsoft Edge’s latest update. Apple Safari still has this issue, though it will get fixed in an upcoming patch.
To read the technical details on how this spoofing technique works, you can check out Rafay Baloch’s article.
hmmm
As soon as I read ‘Pakistani Researcher’ I knew it was Rafay Baloch :)
As soon as I read ‘Pakistani Researcher’ I knew it was Rafay Baloch :)