AFFECTED PRODUCTS
——————–

Safari for MAC:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3

Safari for IPad:
Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4

Safari for Iphone:
Mozilla/5.0 (iPhone; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4

DESCRIPTION
——————–
A domain with a port number in the Safari browser, if the colon (:) behind is the non digital, displayed the colon (:) before the domain name in the address bar , the default page rendering can be blank and be changed arbitrarily. The attacker can carefully construct a malicious phishing page, forged any domain in the address bar, and change the content of the page. In Iphone/Ipad, JavaScript create alerts and warnings of the source is forged, and the HTTPS in the address bar will be with a small lock icon, which makes users believe that the current domain is more credible.

PoC
——————–
POC for Ipad/Iphone

Save as url.html, and open in Safari.

POC for MAC

Save as url.html, and open in Safari.

CREDIT
——————–
This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(http://www.tencent.com).
Email:xisigr@gmail.com
Attack Video
——————–


References
——————–
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities.
CONFIRM:https://support.apple.com/kb/HT205030
CONFIRM:https://support.apple.com/kb/HT205033
APPLE:APPLE-SA-2015-08-13-1
URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00000.html
APPLE:APPLE-SA-2015-08-13-3
URL:http://lists.apple.com/archives/security-announce/2015/Aug/msg00002.html

 

———————————————-update: 2016/3/17—————————————-

Bypassing SOP and shouting hello before you cross the pond

 

屏幕快照 2016-03-17 下午9.03.29

 

111

Safari browser has a function for viewing the thumbnail, the current page generated thumbnail should be consistent with its, such as the current page is google.com, then the generated thumbnail page also should be google.com. But there is a logical error on the thumbnail, an attacker can attack the thumbnail, when the user has access to a normal page, the attacker can replace the current page thumbnail.