OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Address bar spoofing vulnerability found

Published May 20th, 2015 at 2:19 PM EDT , modified May 20th, 2015 at 2:19 PM EDT

A proof-of-concept was released several days ago of an issue with some web browsers, including Safari, that could allow a phishing page to display the wrong address in the browser’s address bar. This is a potentially very serious issue, but fortunately there are some things you can do about it, if you’re aware of them.

The vulnerability involves a JavaScript that constantly tries to load a page on the site being imitated, but uses such a small interval (10 milliseconds) that the page can never be loaded.

<script>
  function f()
  {
    location="http://www.dailymail.co.uk/home/index.html?random="+Math.random();
  }
  setInterval("f()",10);
</script>

By constantly trying to load a non-existent page ending in a long random number, the browser believes that it is being asked to load a new page every 10 milliseconds and obediently complies. Because the interval is so short, however, the content displayed in the browser window, does not refresh, and could be made to look exactly like the site whose address is being spoofed. This can be used to strengthen phishing attacks, since a user will be more likely to trust the site if everything looks as expected, rather than there being a mismatch between the apparent site content and the address.

address bar spoofingIn Safari 8.0.6 running on Mac OS X 10.10.3 (Yosemite), this spoof is actually quite good. Everything seems to be on the up-and-up, except for a small blue dot that flickers very slightly in the lower left corner of the address bar (the beginnings of the progress bar when a site is loading) and the fact that the button at the right side of the bar never changes from an X (indicating that a page is loading) into the circle-arrow icon representing the reload button.

If the user has set Safari to display the full website address in the address bar (which is not the default), then there will be more indication of trouble, as a constantly-changing random number will flicker at the right side of the address. This can be turned on by going to the Advanced pane of Safari’s preferences and changing the Smart Search Field setting to “Show full website address.” However, this feature was added as a defense against certain types of phishing URLs, so this may be a case of “damned if you do, damned if you don’t.”

Fortunately for users of older systems, this feature was not present, and the flicker is pretty noticeable. It’s unlikely this trick will fool anyone using Mavericks or earlier. The same is also true on iOS devices, such as iPads or iPhones: the flicker is too bad to fool anyone.

Some may be wondering why this is a problem. The answer is simple: suppose I’ve got a site called “gonnainfectyou.com”, and I want to run a PayPal phishing scam. My domain name isn’t really cut out for that, but now that’s not a problem. I just put a fake PayPal login page on my site, along with this JavaScript to make the address bar seem like the page is actually a PayPal site. Now if I can just get someone to click a link to my page, bam… they see a convincing PayPal login page that will actually funnel any usernames and passwords entered straight into my hands, so I can go on a shopping spree!

Hopefully Apple will soon make some minor changes to Safari 8 to make this trick become more obvious. In the meantime, however, you should always inspect the address before clicking on any links, so you can understand where you’re going. This is especially important in e-mail messages, where a link can easily be a phishing attempt. And keep an eye peeled for that flickering little progress bar dot… if you see it, whatever site you’re on is not what it would appear to be!

Tags: ,

17 Comments

  • Lee Maxwell says:

    Any idea if this affects other web browsers in OS X, like Firefox [my personal choice], Chrome, Opera, etc.?

    • Thomas says:

      Different browsers react very differently. Firefox seems not to be affected. Chrome shows the right address, but seems to get a bit hung up by the repeated loading and may seem to freeze for a while. I’ve heard a number of reports about other less-common browsers, ranging from completely unaffected to completely locked up, requiring a force quit.

    • Al Varnell says:

      I have been able to replicate this in Google Chrome 43.0.2357.65, Firefox 38.0.1, iCab 5.5, Maxthon 4.5.2 and Opera 29.0 running Yosemite. Also iOS 5.1.1 Safari which is the highest version I can run on an iPad 1.

  • Ian MacGregor says:

    Thank you, Thomas! I use iPhones and iPads and always long-press a URL before clicking on it to see if I even need to be there.

  • Beverly says:

    Tried to get a rca tablet on my system last night password kept coming up call cisco called and got a tec saying you were infected tokk control of my mac and tried to sell me 69.99 …. upset..

  • Chris Courtney says:

    Would a program like 1 password negate the effects of this?

    • Thomas says:

      Yes, to some degree. 1Password won’t enter your password on the wrong site, but some people may just think it’s glitching and enter the password manually. If 1Password doesn’t seem to want to recognize that you’re on the right site, take that seriously and find out why.

      • Chris Courtney says:

        Thanks Thomas! I had sent this to another Mac friend and says he is using 1 Password.

  • Steve says:

    Why is flash claiming to w ant to be reinstalled when I have the latest version and latest os.

    • Al Varnell says:

      This has nothing to do with this topic so not sure why you ask here, but…

      If you have Flash Player v17.0.0.188 then you have the latest version and you should ignore whatever you are seeing, otherwise go to System Preferences->Flash Player->Updates tab and click “Check Now” to get the new version that came out last week.

      OS X does not include or update Flash Player. It comes only from Adobe.

  • David G says:

    Does the blue dot remain small as opposed to a slow progress bar? I frequently have issues on some sites that I use regularly where the progress bar freezes. I either eventually get to the site or get a “timeout” error, but I’ve never accessed a site and had the button on the right remain an “X”. I’m assuming I’m ok and just have a poor connection or there’s an issue with the site. Should I be concerned?

  • Baffled says:

    Thanks for the important info. Since there’s no update to this article, I assume the issue hasn’t been fixed. Well I’m back to Firefox again.

    By the way, do you happen to know how the hell we’re supposed to tell the difference between a website that keeps reloading the page multiple times a second because it wants to track you or serve new ads constantly or is badly designed, or a website that doesn’t change from the “X” because it’s timing out or an extension is messing with something or the site is broken, and a website that is doing these things because it’s a phishing site?

  • Sacha says:

    Wow, that’s quite an issue. I was able to replicate this just by pasting that code into a plain text file and opening it in Safari 8.0.6. I don’t think anyone without knowledge of this would notice the little blue thing either.

  • ed martin says:

    I’m a new first time reader with an older version, 10.6.8, on my older mac. Do I need malwarebyte or some other form to protect my older mac? Your help would be much appreciated as this problem concerns me deeply now. Thanks in advance! ed m

This post is more than 90 days old and has been locked. No further comments are allowed.