Your IT Consultant

Fake Websites Impact Safari and Edge

September 13, 2018

Rafay Baloch, a security researcher, discovered that a flaw in both Microsoft's Edge and Apple's Safari browser allowed the URL of a safe website to be displayed in the address bar while users were actually being taken to a different, and possibly malicious, website. Rafay wrote, "During my testing, it was observed that both Edge and Safari browser allowed JavaScript to update the address bar while the page was still loading. Upon requesting data from a non-existent port, the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing. It causes browser to preserve the address bar and to load the content from the spoofed page."

Not a good thing. Baloch waited the typical 90 days before making the report public. Microsoft has since patched Edge for the vulnerability and Apple has not. I don't think having a patch should switch your browser usage to Edge, bur definitely don't use Safari.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com