Browser address bar exploit persists in Safari; other Mac browsers unaffected

NewSafariIconXA bug that existed in both Chrome and Safari continues to persist in Safari, and allows a malicious Web site to spoof the browser’s address bar to make it appear that you are at one URL when in fact you are at another.

When data phishing sites attempt to steal your information, they will commonly create page layouts that mimic popular and trustworthy pages like those from Facebook, Paypal, Apple, and others. While some of these are impressively similar to the official pages, one easy way to detect them is to look at your address bar and see that the page’s URL is not an official one.

With this bug, however, malicious individuals can set up a phishing page and then make the URL appear legitimate. Initially discovered by Rapid7 and reported by ZDNet, the bug occurs from clever handling of “204 No Content” responses and “” javascript event handling code, where the page’s address bar will continually refresh and allow the page to show any URL even though that URL is not loaded, all while maintaining function of the malicious page generating the URL.

This exploit can be seen in action on this proof of concept site, where you will see the popular “DailyMail” UK news agency’s URL displayed in the address bar even though the site is not DailyMail.

While this spoof happens, it is not necessarily a major issue, especially to those who keep their eyes out for odd behavior. When you load practically any Web page, the page should load and then stay as-is, and you can check the URL and other details about the address by clicking on it. However, with this exploit, the page’s URL will refresh continuously making it impossible to select, and also potentially result in Safari Web Browser content crashes that simply indicate incorrect behavior.

Therefore, even though Google has patched is vulnerable versions of Chrome and so far no patch has been issued for Safari, the exploit is rather detectable by eye. Basically, if any Web page causes your browser to crash, hang, or stick to any behavior despite your attempts to change it, then do not trust the page you are on and close it down–force your browser to quit if you have to.

In recent tests performed by MacIssues-affliated researchers, this bug does affect some alternative browsers for OS X, while others do not seem to be affected. Granted various versions of browsers may show different behavior, but the latest versions show the following behavior:

  • Google Chrome — The browser locks up, but does not incorrectly display the URL
  • iCab — The browser page refreshes but does not display the faulty URL
  • OmniWeb — The address bar chaotically flashes the fake and actual URL
  • Opera — The browser locks up, but does not display the URL
  • Chromium — As with Chrome, the browser locks up but does not display the URL
  • Firefox — Not affected by this problem

8 thoughts on “Browser address bar exploit persists in Safari; other Mac browsers unaffected

  1. xAirbusdriver

    Did you actually click the “Go” link, as instructed? 😉 A new page opens with the described “fake” DailyMail domain. It is rather obvious as the last part of the url is constantly changing…

  2. B. Jefferson Le Blanc

    Unfortunately, perhaps, most people do not keep an eye out for unusual behavior. They will notice when their browser locks up, but that may be too late to avoid the malicious exploit. In my opinion, given the browsing habits of the average user, this exploit could be more serious than you suggest. Apple needs to patch this.

  3. alvarnell

    I am still able to replicate the problem with the latest Chrome version released yesterday 43.0.2357.65 (64-bit).

    I have found that it can take a very long time for some browsers to display the problem, sometimes several minutes. Switching to a different tab seems to speed up the process.

    I’ve also found the problem in Firefox, Opera, iCab and Maxthon browsers along with iOS Safari.

  4. Roger Pelizzari

    I tried the proof of concept with Firefox and when I clicked “Go” the page wouldn’t load.
    So does that mean that Firefox is also vulnerable?

    1. alvarnell

      Be sure you give it time (several minutes if necessary) to load. If the address bar shows a address, then it is vulnerable.

      1. Roger Pelizzari

        When I click on “Go” I get a page that says,,,,

        “Address bar says – this is NOT”

        But the page never finishes loading.

        Does that mean my Firefox is vulnerable?

  5. alvarnell

    Try switching back to the original tab or window until the test page finishes loading. I have not found a single browser that isn’t vulnerable at this time, although I’ve just heard that a beta version of Chromium finally fixed it, which means that Chrome and Opera should be fixed real soon now.


Leave a Reply to B. Jefferson Le Blanc Cancel reply

Your email address will not be published. Required fields are marked *