A serious security vulnerability has been uncovered in Apple’s Safari web browser that could trick Safari users into visiting a malicious website with the genuine web address.
A group of researchers, known as Deusen, has demonstrated how the address spoofing vulnerability could be exploited by hackers to fool victim into thinking they are visiting a trusted website when actually the Safari browser is connected to an entirely different address.
This flaw could let an attacker lead Safari users to a malicious site instead of a trusted website they willing to connect to install malicious software and steal their login credentials.
The vulnerability was discovered by the same group who reported a Universal Cross Site Scripting (XSS) flaw in all the latest patched versions of Microsoft’s Internet Explorer in February this year that put IE users’ credentials and other sensitive information at risk.
The group recently published a proof-of-concept exploit code that makes the Safari web browser to display the Daily Mail's website (dailymail.co.uk) although the browser is displaying the contents from deusen.co.uk.
The POC works on fully patched versions of Apple’s mobile operating system (iOS) as well as desktop operating system (OS X).
What’s even worse?
The vulnerability could be exploited by hackers to launch highly credible phishing attacks or hijack users’ accounts on any website.
Instead of Daily Mail website, a hacker could use a bank website and then inject a rogue form asking the user for private financial information.
Based on a quick analysis, the demo page appears to force Safari user to visit the daily mail URL, as you can see in the browser's user interface. The script quickly loads another URL before the page can be loaded.
The script looks like the following:
<script> function f() { location="dailymail.co.uk/home/index.htm…"+Math.random(); } setInterval("f()",10); </script>
At this point, Apple has not confirmed that whether the vulnerability is actively exploited by the cyber criminals in the wild. However, Apple has yet to comment on the issue.