Same-Origin Policy Bypass in Safari Opens Door for Phishing Attacks

[Karamjit]

Flaw can be exploited on the latest versions of iOS and OS X

A bug in the way Safari handles content from two different domains can be leveraged by attackers to point users to a malicious website while the address bar shows the string for a legitimate location.

The vulnerability relates to the same-origin policy (SOP), a security concept for web applications that ensures that a web page accepts resources only from a single origin. The mechanism is used against cross-site request forgery (CSRF) attacks.

Researcher makes available proof-of-concept code

Security researcher David Leo has found that the latest version of Safari is susceptible to CSRF and published proof-of-concept code to demonstrate the flaw. The exploit works on iOS and OS X with the newest updates installed.

In the demo, Leo shows how arbitrary content is loaded in the browser, while the string in the address bar advertises that the page displayed is for dailymail.co.uk news outlet.

The exploit is not perfect, though. By keeping an eye on the address bar, users can catch a glimpse of the web address that is actually loaded. Nonetheless, there are few users that would actually watch the address bar when accessing a web resource and the information could easily pass unnoticed.

In early February, the researcher demonstrated the same type of flaw in Internet Explorer 11 running on Windows 7 and 8.1. The vulnerability has been eliminated by Microsoft since.

A good bait can make a load of victims

The risks involved by this type of attacks are obvious. Phishing attempts aiming at stealing login credentials for different online services are the most evident, but cybercriminals could also exploit the glitch to point unsuspecting users to websites serving malware.

All it takes to trick someone to access a fraudulent page is an email address or a phone number and the right bait.

Yesterday, we reported about crooks running a scam to harvest phone numbers by luring users with the promise of activation codes for video calls in WhatsApp messaging service. Spoofing the web address with the right content could make a large number of victims.

From: http://news.softpedia.com/news/Same-Origin-Policy-Bypass-in-Safari-Opens-Door-for-Phishing-Attacks-481621.shtml