Safari URL-spoofing vuln reveals how fanbois can be led astray
Here's website A. Oh, is that the address of website B?
A recently published exploit for the Safari browser demonstrates a URL spoofing mechanism which might convince users they are visiting a legitimate website, when they are actually visiting another site which may be phishing their details.
Deusen researchers have disclosed a vulnerability which may be exploited by hackers to hijack user accounts on a range of websites, from social media to banking.
The proof-of-concept invites users to visit what appears to be the Daily Mail website – however, a script will execute the loading of another URL before the page users are directed to can be displayed.
Tested using Safari on the iPad, the example address-spoofing script causes the Safari browser to display dailymail.co.uk whilst the browser displays content from deusen.co.uk, although the latter can be substituted for a malicious site, say Deusen's researchers.
The target site of the Daily Mail was previously chosen by Deusen hacker David Leo to highlight a vulnerability in Internet Explorer in February. ®