Divyanshu Shukla
Oct 2 · 4 min read

While working for browser-based attacks on the URL bar, I learned a way where it was still possible to spoof address bar in safari. None of the previous exploits was working but while trying something similar, the browser was behaving differently. Initially, I was unable to hold the page long enough for the keyboard to appear and then hovering over it to get the virtual keyboard.
So after researching for multiple functions and calling a function inside a function caused enough delay in loading the page.
Tested on Safari on iPhone 5s Updated to iOS 12.3 version(latest version) and iOS 13.
It was really interesting and challenging to create this working exploit for the POC of CVE-2019-8727.

Summary:

Safari Browser for iPhone suffered from URL Bar Spoofing Vulnerability. URL Bar spoofing is a vulnerability which can be used in phishing attacks.
Due to insecure design principles, safari failed to handle setTimeout and setInterval methods, thus causing a delay in the loading webpage for the non-existent port. While Safari holds the page for some time and using it with autofocus and virtual keyboard thus creating a fake page redirecting to a genuine domain thus triggering URL bar spoofing.

Safari browser for iOS is having usage around 15% –20% across the globe. This flaw along with that, this issue persisted iOS 13 Beta (At the time of testing).

Impact:

Because the functions triggering URL spoofing iOS while the page is still loading causes browser to keep loading the URL but load a different content from the parent tab and then by creating onscreen keyboard in the page which is common in financial institutions. The time it takes to completely load and finish is enough for phishing a user. It can be also used to make user’s download fake application by setting link in the title tag of the page.

It can be also be used as spear-phishing by sending multiple similar links to a group of users and then checking which user visits which kind of website.

Expected Behaviour:

The browser should be showing the real URL location instead of the spoofed one.

Steps To Reproduce:

  1. Create an HTML Code which would spoof the address bar.
  2. Host a malicious page on the website.
  3. It shows a fake facebook page with a form for login with virtual keyboard and autofocus enabled.

URL: https://justmorpheus.000webhostapp.com/day2/boa.html

POC For URL Bar Spoofing iOS 13 Beta
Fake Spoofed Page For Bank Of America

Technical Analysis:

Diving inside the technical analysis of address spoofing attacks it can not only use to spoof URLs but also bypass SOP in some cases.
In the above-mentioned case, code is divided into two parts. The first part contains style tag in the Html body which loads CSS code along with javascript loading onscreen keyboard with autofocus= “true” in the Html form. It is not possible to load relative/absolute URL’s as it will take time to load the stylesheet and thus due to less time, it will appear as the link is broken or fake page to the user thus defeating our motive.

Fake Facebook page without CSS and other content

Then the second part of the code:

<script>setTimeout(function(){ function spoof(){ window.location.assign(“https://www.bankofamerica.com:8090"); } setInterval(spoof(),50000); }, 100);</script>

Which consist of setTimeout method for delaying setInterval for 100 milliseconds, enough to load the fake onscreen keyboard and getting autofocus along with loading CSS. Then spoof function is called with SetInterval method to load URL in window.location.assign and delay by reloading every 50000 milliseconds to load a new document. So, it keeps on loading URL for the non-existent port in the page every 50 sec. Thus, it provides enough time to show spoofed page thus fooling Safari browser.

Solution :

This type of bug can be fixed by resetting the document object model like by displaying a white page, or showing a progress bar or completely redirecting to the genuine page.
Also according to apple, a logic issue was addressed with improved state management.

Fix:

Users are highly recommended to install the latest update for iOS 13 by Apple.

Timeline:

05/24/2019: Discovered and reported to Apple Security Team.
05/31/2019: More information required.
06/02/2019: New POC with update exploit.
09/19/2019: Security update released by Apple with CVE and Hall Of Fame.

Thanks to Apple Security team for resolving the issue.

Reference:

Stay aware stay safe

https://blog.avira.com/safari-address-bar-can-be-tricked-into-displaying-fake-url/
https://chromium.googlesource.com/chromium/src/+/master/docs/security/url_display_guidelines/url_display_guidelines.md
https://www.rafaybaloch.com/2018/09/apple-safari-microsoft-edge-browser.html
https://www.fonearena.com/blog/279381/xiaomi-browser-vulnerability-url-spoofing.html
https://www.jqueryscript.net/other/Responsive-Virtual-Keyboard-Plugin-With-jQuery-jQKeyboard.html
https://vuldb.com/?id.142354
https://support.apple.com/en-us/HT210606

Thanks,
@justm0rph3

Follow Infosec Write-ups for more such awesome write-ups.

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Powered by Hackrew

Divyanshu Shukla

Written by

Security Engineer | Threat Hunter | DevSecops | Linux Administrator

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Powered by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade