Apple's Safari Falls For New Address Bar Spoofing Trick
(Sep 11, 2018)
A vulnerability in the Safari web browser, registered as “CVE-2018-8383,” has been discovered that allows threat actors to control the content displayed in an address bar that then create difficult-to-detect phishing schemes. A security researcher, Rafay Baloch, recreated the vulnerability in both Safari and Microsoft Edge web browsers. A threat actor could easily delay the address bar from updating with the accurate website URL, and impersonate any web page while the target see a legitimate domain name in the bar complete with authentication marks. For example, Baloch tested this with a proof-of-concept (PoC) page that loaded content from gmail[.]com but was hosted on a sh3ifu[.]com server. It could be possible to detect this suspicious web page as the page loading wheel and bar are still visible, but this often is indicative of background elements on a page being loaded more slowly which is common during the loading stage of accessing a normal web page. Apple acknowledged the bug, and is reportedly including a fix for it in the upcoming security update release.
Recommendation: Users should ensure that they have visited the correct web page before entering any credentials. Especially if the user clicked an obfuscated link to redirect there. Never enter passwords into a form over HTTP. If the connection is over HTTPS, view the certificate to ensure that the name matches that of the URL bar.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.