Flaw in Edge and Safari Browser allows Address Bar Spoofing

security news online

A security researcher has discovered an Address Bar Spoofing flaw affecting Microsoft Edge and Apple Safari browser.

The vulnerability (CVE-2018-8383) can be used by the attacker to load a page and then modify the code in the body without changing the URL in the address bar.

The flaw was discovered security researcher Rafay Baloch and said that both Edge and Safari browser allowed to javascript to modify the address bar while the page is still loading.

“Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes the browser to preserve the address bar and to load the content from the spoofed page.”

However, the browser will load the resource and delay induced with setInterval function is enough for the attacker to modify the address bar.

The researcher has notified both the Microsoft and Apple about the flaw on June 2 and was given 90 days public disclosure deadline.

Microsoft has released a patch for the flaw in Edge browser on August 10 as part of patch Tuesday update. Apple has yet to release the patch for safari browser.

Here below is the video proof of concept published by the researcher on the both Edge and Apple Safari browser.



For the latest cyber threats and the latest hacking news please follow us on Facebook and Twitter.

You may be interested in reading: Schneider Electric Shipped out Malware Containing USB Drives



Please rate this content