Browser address bar exploit persists in Safari; other Mac browsers unaffected

A bug that existed in both Chrome and Safari continues to persist in Safari, and allows a malicious Web site to spoof the browser’s address bar to make it appear that you are at one URL when in fact you are at another.

When data phishing sites attempt to steal your information, they will commonly create page layouts that mimic popular and trustworthy pages like those from Facebook, Paypal, Apple, and others. While some of these are impressively similar to the official pages, one easy way to detect them is to look at your address bar and see that the page’s URL is not an official one.

With this bug, however, malicious individuals can set up a phishing page and then make the URL appear legitimate. Initially discovered by Rapid7 and reported by ZDNet, the bug occurs from clever handling of “204 No Content” responses and “window.open” javascript event handling code, where the page’s address bar will continually refresh and allow the page to show any URL even though that URL is not loaded, all while maintaining function of the malicious page generating the URL.

This exploit can be seen in action on this proof of concept site, where you will see the popular “DailyMail” UK news agency’s URL displayed in the address bar even though the site is not DailyMail.

While this spoof happens, it is not necessarily a major issue, especially to those who keep their eyes out for odd behavior. When you load practically any Web page, the page should load and then stay as-is, and you can check the URL and other details about the address by clicking on it. However, with this exploit, the page’s URL will refresh continuously making it impossible to select, and also potentially result in Safari Web Browser content crashes that simply indicate incorrect behavior.

Therefore, even though Google has patched is vulnerable versions of Chrome and so far no patch has been issued for Safari, the exploit is rather detectable by eye. Basically, if any Web page causes your browser to crash, hang, or stick to any behavior despite your attempts to change it, then do not trust the page you are on and close it down–force your browser to quit if you have to.

In recent tests performed by MacIssues-affliated researchers, this bug does affect some alternative browsers for OS X, while others do not seem to be affected. Granted various versions of browsers may show different behavior, but the latest versions show the following behavior:

  • Google Chrome — The browser locks up, but does not incorrectly display the URL
  • iCab — The browser page refreshes but does not display the faulty URL
  • OmniWeb — The address bar chaotically flashes the fake and actual URL
  • Opera — The browser locks up, but does not display the URL
  • Chromium — As with Chrome, the browser locks up but does not display the URL
  • Firefox — Not affected by this problem

Author

Mac Issues

At Mac Issues, we're dedicated to helping you learn how to use your Macbook properly. With tutorials, how-to troubleshooting guides & real reviews, hopefully we can make your day that little bit easier.

Read more from Mac Issues