Address spoofing Safari bug opens door for phishing attacks

Hacker David Leo has released a PoC exploit for a Safari vulnerability that can be misused to trick users into thinking they are on one site while they are actually on another – a boon for phishers.

“The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the ‘real’ web address instead of the fake one,” SANS ISC handler Manuel Humberto Santander Peláez commented this latest exploit.

Leo tested the exploit on the Safari browser on an iPad (click on the screenshot to enlarge it):



Help Net Security tested it and the exploit worked, but only until the user switched to another opened tab.

Also, an experienced user might notice in the lower left corner of the address bar the (very faint) flickering of the loading progress bar repeatedly going from zero to a few percents and back, and find it suspicious, but many users wouldn’t.

All in all, while the exploit is not perfect, it can be definitely used to dupe some users.

Earlier this year Leo demonstrated a similar attack targeting Internet Explorer users.