Mac O’Clock
Published in

Mac O’Clock

Safari Spoofable Credentials Prompt

The Safari web-browser seems to have some UI vulnerabilities that may have long been fixed in most other browsers.

We can see how an HTTP Basic Authentication credentials can be easily spoofed by an attacker. The standard of reusing passwords only aggravates the impact of this defect. HTTP Basic Authentication is much less used nowadays, but it wouldn’t be surprising if many companies use legacy systems that still use it.

Here on Firefox, we can see how the credentials are in a custom window that is much harder to spoof. Chrome/Chromium probably has the best defense where a part of the UI is visibly shared between the browser window and the webpage.

Other Less Serious Spoofable Security Dialogs

Safari does better with location permissions but it’s still relatively easy to spoof since the whole UI is in the webpage and will probably only have two variants (dark and light). Safari also seems to have a mitigation for this where the input/keystrokes don’t seem to work with the webpage when this dialog is shown but this behavior may be reproduced in by the webpage partially if not wholly. But in the end, you’d still not get the permissions by spoofing the UI alone and you’d need some plain old social engineering to confuse the user into it.

Firefox is winning again with a dialog that is partially in the browser private-UI, and this can’t be spoofed by the webpage because it’s outside its UI container. Extensions are a different story, and it’s probably possible to produce a similar UI.

Finally and on a positive note, Safari wins by default with the first download prompt because most other web-browsers don’t even have this dialog.

--

--

The best stories for Apple owners and enthusiasts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store