Beware! Unpatched Safari Browser Hack Lets Attackers Spoof URLs
– Swati Khandelwal
The phishing attacks today are sophisticated and increasingly more difficult to spot, and this newly discovered vulnerability takes it to another level that can bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a website is fake.
Vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser allowing JavaScript to update the page address in the URL bar while the page is loading. This vulnerability could essentially allow an attacker to load a legitimate page which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious one.
The URL below has a POC video for the vulnerability. Please do look.
Link: https://thehackernews.com/2018/09/browser-address-spoofing-vulnerability.html
Ah race conditions. The greatest frustration of anyone doing something asynchronous. It’s funny how sometimes you wonder if you’ll ever need to know this type of content after a systems class. “Why would I ever care about race conditions? I’m never going to build an OS.” Well, here it is. This is very true that there is a kind of uncertainty about what the resulting computation will be in a race condition. I’m surprised that the makers of Safari didn’t detect this. Even in Ubuntu, when you compile your programs, you can get little warnings in the terminal about race conditions. Thanks for the heads up.