Safari exploit lets hackers trick users into visiting spoof addresses

BY Killian Bell

Published 19 May 2015

yosemite safari icon

Researchers have discovered a URL-spoofing exploit in Safari on both iOS and OS X that allows attackers to trick users into thinking they are visiting trusted websites when in actual fact they are visiting an entirely different address. The hack could be used for phishing and to distribute malware.

The researchers have created a proof-of-concept exploit that demonstrates how the attack works. When users click the link, Safari’s address bar tells them they are visiting — the address of a popular British newspaper. But in actual fact, they are visiting a totally different URL.

“The demo code isn’t perfect,” explains Ars Technica. “On the iPad Mini Ars tested, the address bar periodically refreshed the address as the page appeared to reload. The behavior might tip off more savvy users that something is amiss.”

Nevertheless, it could fool plenty of other Safari users into thinking they’re visiting genuine sites, and that has serious implications. Attackers could create a website dressed up as PayPal, for instance, and steal your login information — and then your money.

Safari URL address explot

The exploit doesn’t work in other browsers like Chrome, Firefox, and Internet Explorer.

Ars explains that JavaScript is used to lead Safari to one URL — the one reflected in the address bar — then forces it to quickly reload another URL before the original page is displayed.

Apple will be keen to address a flaw like this, which clearly puts Safari users and their data at risk. Hopefully, we’ll see a fix in the next Safari update, and we won’t have to wait too long for it.