A security researcher has discovered an Address Bar Spoofing flaw affecting Microsoft Edge and Apple Safari browser.
The vulnerability (CVE-2018-8383) can be used by the attacker to load a page and then modify the code in the body without changing the URL in the address bar.
“Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page.”
However, the browser will load the resource and delay induced with setInterval function is enough for the attacker to modify the address bar.
The researcher has notified both the Microsoft and Apple about the flaw on June 2 and was given 90 days public disclosure deadline.
Microsoft has released a patch for the flaw in Edge browser on August 10 as part of patch Tuesday update. Apple has yet to release the patch for safari browser.
Here below is the video proof of concept published by the researcher on the both Edge and Apple Safari browser.
You may be interested in reading: Schneider Electric Shipped out Malware Containing USB Drives