Safari Spoofable Credentials Prompt

Abdullah Alansari
Mac O’Clock
Published in
2 min readMay 1, 2020

The Safari web-browser seems to have some UI vulnerabilities that may have long been fixed in most other browsers.

Safari HTTP-Basic-Authentication Dialog

We can see how an HTTP Basic Authentication credentials can be easily spoofed by an attacker. The standard of reusing passwords only aggravates the impact of this defect. HTTP Basic Authentication is much less used nowadays, but it wouldn’t be surprising if many companies use legacy systems that still use it.

Firefox HTTP-Basic-Authentication Dialog

Here on Firefox, we can see how the credentials are in a custom window that is much harder to spoof. Chrome/Chromium probably has the best defense where a part of the UI is visibly shared between the browser window and the webpage.

Other Less Serious Spoofable Security Dialogs

Safari Location-Permission-Request Dialog

Safari does better with location permissions but it’s still relatively easy to spoof since the whole UI is in the webpage and will probably only have two variants (dark and light). Safari also seems to have a mitigation for this where the input/keystrokes don’t seem to work with the webpage when this dialog is shown but this behavior may be reproduced in by the webpage partially if not wholly. But in the end, you’d still not get the permissions by spoofing the UI alone and you’d need some plain old social engineering to confuse the user into it.

Firefox Location-Permission-Request Dialog

Firefox is winning again with a dialog that is partially in the browser private-UI, and this can’t be spoofed by the webpage because it’s outside its UI container. Extensions are a different story, and it’s probably possible to produce a similar UI.

Safari First-Download-Permission-Request Dialog

Finally and on a positive note, Safari wins by default with the first download prompt because most other web-browsers don’t even have this dialog.

--

--