iOS Safari Spoofing Exploit Found With No Fix Yet

Security researcher Rafay Baloch found an iOS Safari spoofing exploit, and at this time there is no documented fix (via The Register).

[iOS: 8 Ways to Enhance Your Privacy & Security in Safari]

iOS Safari Spoofing

This was a flaw that was also found in Microsoft’s Edge browser, and the company has patched the flaw. The vulnerability—CVE-2018-8383—lets javascript update the address bar while a web page loads.

The vulnerability is the result of what Baloch describes as a race condition that would potentially allow the attacker to start loading a legit page, causing the page’s address to appear in the URL bar, and then quickly switch the code in the page to something malicious – without changing the URL displayed in the address bar.

This would let an attacker create fake login screens and other forms to harvest usernames, passwords, and other private information. Mr. Baloch has a video showing a proof of concept for iOS Safari spoofing:


Mr. Baloch reported the issue to Apple back in June, but we don’t know whether Apple is including a fix for it in iOS 12, or wait until iOS 12.0.1.

[macOS: How to Manage Safari Browsing History]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.