back to article Safari URL-spoofing vuln reveals how fanbois can be led astray

A recently published exploit for the Safari browser demonstrates a URL spoofing mechanism which might convince users they are visiting a legitimate website, when they are actually visiting another site which may be phishing their details. Deusen researchers have disclosed a vulnerability which may be exploited by hackers to …

  1. This post has been deleted by its author

    1. This post has been deleted by its author

  2. dogged

    > The proof-of-concept invites users to visit what appears to be the Daily Mail website

    And they're sending this Guardian-reading iThing owners? I guess that's called deliberately making sure your PoC is safe.

  3. Richard Wharram

    So instead of the Daily Mail?

    They would get some phishing site instead?

    I'd say that's a win to be honest.

  4. Meerkatjie

    I think it will be easier to remove what ever nasty I would get from the phishing site than trying to forget what I would see/read in the Daily Mail.

  5. GordonD

    A few clues this is a phish

    For anyone who can't try this, at first sight, there are a few visible clues.

    Firstly, the correct URL is show before the spoofed one. Quite obvious when loaded direction, but probably not noticeable if loaded in background or background tab.

    Secondly, there is no icon. I don't know if this is an intrinsic issue with the spoof.

    Thirdly, there is a consistent flicker at the left of the address field where the icon would go, looks like maybe there is some script constantly overwriting the icon.

    It would be interesting to know if this worked with HTTPS sites.

    1. Anonymous Coward
      Anonymous Coward

      Re: A few clues this is a phish

      view source.

      Basically it's setInterval(function(){ location="http://target-url-to-display" }, 10)

      So it's trying to load a new page every 10 milliseconds; not long enough to actually complete the navigation before the next iteration triggers.

  6. Stevie

    Bah!

    So the answer would seem to be to stay away from this insidious "Website A" at all costs.

    Or not to use the Safari browser of course. Speaking for my own experience using it on an iPad Air with an intermittent internet broadband connection (using it on my train commute) it is much less robust in terms of being able to cope with the webs going away and then coming back after a "post" has timed out than my browser of choice. Firefox over WIn7 has no problem with the same scenario.

    Trying to edit a "favorite" today had me snarling in rage as numerous attempts failed to update the bloody thing. I ended up deleting it in the end and starting over from scratch. Hands down the worst f*cking browser/platform combination I've ever used.

  7. Anonymous Coward
    Anonymous Coward

    Just link bait.

    Why no mention of same problem on Chrome? Would have ruined the headline to attract hits from those who get of on apple problems, uh? I suppose Chrom and Chromium were fixed last night to freeze instead.

  8. Anonymous Coward
    Anonymous Coward

    On the Safari browser on iOS I find it very annoying the address bar doesn't just show the actual address you're on. Instead their supposed security shows the name of the site instead so you have to trust they are correct. Just leave the original address in there I'll take the responsibility of making sure I'm on a genuine site.

  9. Anonymous Coward
    Anonymous Coward

    Just tried it in Chrome on Android L. It displays the correct URL but somewhat-less-desirably causes Chrome to go down in a ball of flames...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like