A bug that existed in both Chrome and Safari continues to persist in Safari, and allows a malicious Web site to spoof the browser’s address bar to make it appear that you are at one URL when in fact you are at another.
When data phishing sites attempt to steal your information, they will commonly create page layouts that mimic popular and trustworthy pages like those from Facebook, Paypal, Apple, and others. While some of these are impressively similar to the official pages, one easy way to detect them is to look at your address bar and see that the page’s URL is not an official one.
While this spoof happens, it is not necessarily a major issue, especially to those who keep their eyes out for odd behavior. When you load practically any Web page, the page should load and then stay as-is, and you can check the URL and other details about the address by clicking on it. However, with this exploit, the page’s URL will refresh continuously making it impossible to select, and also potentially result in Safari Web Browser content crashes that simply indicate incorrect behavior.
Therefore, even though Google has patched is vulnerable versions of Chrome and so far no patch has been issued for Safari, the exploit is rather detectable by eye. Basically, if any Web page causes your browser to crash, hang, or stick to any behavior despite your attempts to change it, then do not trust the page you are on and close it down–force your browser to quit if you have to.
In recent tests performed by MacIssues-affliated researchers, this bug does affect some alternative browsers for OS X, while others do not seem to be affected. Granted various versions of browsers may show different behavior, but the latest versions show the following behavior:
- Google Chrome — The browser locks up, but does not incorrectly display the URL
- iCab — The browser page refreshes but does not display the faulty URL
- OmniWeb — The address bar chaotically flashes the fake and actual URL
- Opera — The browser locks up, but does not display the URL
- Chromium — As with Chrome, the browser locks up but does not display the URL
- Firefox — Not affected by this problem
actually the exploit is not working on the site you linked to.
Did you actually click the “Go” link, as instructed? 😉 A new page opens with the described “fake” DailyMail domain. It is rather obvious as the last part of the url is constantly changing…
Unfortunately, perhaps, most people do not keep an eye out for unusual behavior. They will notice when their browser locks up, but that may be too late to avoid the malicious exploit. In my opinion, given the browsing habits of the average user, this exploit could be more serious than you suggest. Apple needs to patch this.
I am still able to replicate the problem with the latest Chrome version released yesterday 43.0.2357.65 (64-bit).
I have found that it can take a very long time for some browsers to display the problem, sometimes several minutes. Switching to a different tab seems to speed up the process.
I’ve also found the problem in Firefox, Opera, iCab and Maxthon browsers along with iOS Safari.
I tried the proof of concept with Firefox and when I clicked “Go” the page wouldn’t load.
So does that mean that Firefox is also vulnerable?
Be sure you give it time (several minutes if necessary) to load. If the address bar shows a dailymail.co.uk address, then it is vulnerable.
When I click on “Go” I get a page that says,,,,
“Address bar says dailymail.co.uk – this is NOT dailymail.co.uk”
But the page never finishes loading.
Does that mean my Firefox is vulnerable?
Try switching back to the original tab or window until the test page finishes loading. I have not found a single browser that isn’t vulnerable at this time, although I’ve just heard that a beta version of Chromium finally fixed it, which means that Chrome and Opera should be fixed real soon now.