Address Bar Spoofing Bug affects Chrome, Safari and Opera Browsers

Apple Safari Browsers, Safari bug, Address Spoofing bug, Chrome vulnerability, Android browser spoofing vulnerability, Opera browser bug, security issue of web browser,

Admin

May 20, 2015

A independent security researcher "Rafay Bloch" had founded a Address Bar Spoofing vulnerability on the Google chrome browser on android version in February. After the bug fixed, researcher have disclosed the details of the vulnerability on his blog. Rafay with the help of his friend, Joe Vennix, helped to improve the proof of concept to demonstrate the vulnerability.

The bug was dangerous, as the bug allowed the browser's address bar to be spoofed. That can be enough to convince a victim of a phishing email or text message to enter their usernames and passwords.

The bug was patched in early and then in later April. It affected Android 4.4 "KitKat" and Android 5.0 "Lollipop."

Test on Apple Safari Browsers

After the write-up of the bug, another security researcher, Deusen have tested the Rafay POC on Apple Safari browser. Unfortunately, bad news for Apple that the POC demonstrate the Apple Safari browsers is also effected with the bug. Deusen have published a Proof-of-Concepts on Sunday that allows an attacker spoof the address bar in Safari on iPhones, iPads, and Macs.

The exploit is far from perfect, as the browser can visibly be seen fighting the code to try to display the correct address. The bug works on fully patched versions of iOS and OS X. Malicious attackers might use the bug to dupe Safari users into thinking they're connecting to a trusted site instead of one that's phishing their login credentials or attempting to install malware.

Apple Safari Browsers, Safari bug, Address Spoofing bug

Till yet Apple have not commented on the bug, but hope this will soon be fixed.

Test on Opera Mini

Another security researcher Paulos Yibelo, have also tested the same POC on Opera browsers and the same results he found. He found that Opera Android and Opera Mini browsers were also effected to the bug.

POC code -

<script>
function f()
{
location="http://www.dailymail.co.uk/home/index.html?random="+Math.random(); } setInterval("f()",10);
</script>

The code is hilariously simple to understand, webpage reloads roughly every 10 milliseconds (random) using the setInterval() function, just before the browser can get the real page and so the user sees the ‘real’ web address instead of the fake one - Paulos explain about the code.

So now this bug is taking more badly situation as most of the popular browser of different platform is being affected by the bug.

Google reported releasing patches for Android Lollipop (5.0.x) on April 7, and for Android KitKat (4.4.x) on April 30. Hope Apple and Opera too soon released the patch for bug.