Security firm Deusen reveals that the flaw works by using a short script to force Safari into loading one page while still displaying the URL of another page. This script is provided below:
Deusen has published a demonstration of the vulnerability here.
“The code is very simple: webpage reloads every 10 milliseconds using the setInterval() function, just before the browser can get the real page and so the user sees the ‘real’ web address instead of the fake one,” comments Manuel Humberto Santander Peláez, Handler at SANS Internet Storm Center.
The bug works on fully patched versions of iOS and OSX. Even so, the demo code is not perfect.
safariStaff members at Ars Technica tested the vulnerability, and while the demo code worked flawlessly with a MacBook Pro, the address bar on an iPad Mini periodically refreshed as the page appeared to reload.
Similarly, Help Net Security experienced some problems when testing the bug. The demo code appeared to work only until a user switched tabs, and even then, it reasoned that savvy users would notice a flickering in the loading progress bar of the address bar.
Despite the demo code’s flaws, less experienced users might not notice this behavior. Attackers could subsequently target unaware users by redirecting them to a malicious website where they could attempt to infect visitors with malware or steal their login credentials.
This vulnerability was discovered by the same group of researchers who discovered a Universal Cross Site Scripting (XSS) vulnerability in the latest versions of Microsoft’s Internet Explorer back in February of this year. That flaw also put web users’ login credentials and sensitive information at risk.
Users are encouraged to watch out for spoofing attacks that redirect them to phishing schemes.