⋮    ⋮  

Safari Spoofing Bug on iOS, OS X Opens Door to Malware


The more heavily we rely on digital products, the more vigilant we should be of attacks. Apple's ecosystem was once seen as a safe haven from most forms of threats, but even though the rap-sheets of OS X and iOS are considerably cleaner than those of their peers, it still pays to be wary of malicious intrusion. Recently, a group of security researchers demoed a proof-of-concept address-spoofing exploit that can open predefined web pages that do not reflect what is being shown in the address bar, which could thus be used to masquerade dangerous malware / phishing sites as legitimate, safe sites.
safari wccf

As browser-based issues go, the severity of this one cannot be downplayed. It would take a hacker minutes to set up a phishing site that looked and operated identically to a legitimate, trusted website, and from there, anything from login credentials to bank details could be lifted with ease.

In the image you see below, Safari shows the Daily Mail website in the address bar, but the content being displayed is actually from a site under the URL of deusen.co.uk. The scary thing is, the bug exists in both the mobile and desktop versions of Safari for iOS and OS X respectively, and along with the phishing scams, there's also a good chance that malware could be shipped in this manner.

Jeremiah Grossman, White Hat Security's CTO of Web security, credits the exploit as being "clever," and for those interested, here's what the script for the hack looks like:

function f()

Apple has yet to pass comment on the issue, but we'd expect a response in the very near future. When it comes to security, the company doesn't tend to sit on its hands for too long, and hopefully, a patch will be released with a reasonable dose of haste.

Deusen, the group that has discovered this bug and posted concept proof of it working, rose to prominence earlier on this year when it latched onto the Universal Cross Site Scripting (XSS) flaw found in Microsoft's Internet Explorer. The vulnerability within the outgoing IE was first seen in February, placing the personal information and credentials of users at risk, and since that bug was readily dealt with by Microsoft, let's see if Apple is just as quick to the draw.

As for how this affects you, there's no reason to panic too much as yet. The demo code itself is a little hit-and-miss, and with no reports that the script has been used for any nefarious activity, this will hopefully be nipped in the bud by Apple before it can have any lasting effect on Safari users on both iOS and OS X.

(source: Deusen via Ars)