A bug that existed in both Chrome and Safari continues to persist in Safari, and allows a malicious Web site to spoof the browser’s address bar to make it appear that you are at one URL when in fact you are at another.
When data phishing sites attempt to steal your information, they will commonly create page layouts that mimic popular and trustworthy pages like those from Facebook, Paypal, Apple, and others. While some of these are impressively similar to the official pages, one easy way to detect them is to look at your address bar and see that the page’s URL is not an official one.
While this spoof happens, it is not necessarily a major issue, especially to those who keep their eyes out for odd behavior. When you load practically any Web page, the page should load and then stay as-is, and you can check the URL and other details about the address by clicking on it. However, with this exploit, the page’s URL will refresh continuously making it impossible to select, and also potentially result in Safari Web Browser content crashes that simply indicate incorrect behavior.
Therefore, even though Google has patched is vulnerable versions of Chrome and so far no patch has been issued for Safari, the exploit is rather detectable by eye. Basically, if any Web page causes your browser to crash, hang, or stick to any behavior despite your attempts to change it, then do not trust the page you are on and close it down–force your browser to quit if you have to.
In recent tests performed by MacIssues-affliated researchers, this bug does affect some alternative browsers for OS X, while others do not seem to be affected. Granted various versions of browsers may show different behavior, but the latest versions show the following behavior:
- Google Chrome — The browser locks up, but does not incorrectly display the URL
- iCab — The browser page refreshes but does not display the faulty URL
- OmniWeb — The address bar chaotically flashes the fake and actual URL
- Opera — The browser locks up, but does not display the URL
- Chromium — As with Chrome, the browser locks up but does not display the URL
- Firefox — Not affected by this problem