Apple Safari Addressbar Spoofing Attacks with Search Engines on IOS

I reported the vulnerability to the APPLE in February 1, 2016 , The vulnerabilities are discussed in this article have been fixed. I think this is a very interesting logical bug, which makes the smart search bar becoming dangerous!

 

AFFECTED PRODUCTS

——————–

User Agent:

Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/ 601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E5191d Safari/601.1

DESCRIPTION

——————–

In the Safari browser for IOS, the addressbar and the smart search bar are combined together, in the settings of the Safari can choose the default search engine: such as YAHOO, Google, Bing, Baidu, DuckDuckGo……. when searching for a URL in the default search engine,the URL will be displayed on the Omnibox. According to this characteristic, if the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.

PoC

——————–

Testing environment:

1, set the default search engine for Baidu

2, IPhone/IPAD

(1) Safari search in IPhone

POC:

search_spoof_1

(2) Safari search in IPAD

POC:

search_spoof_2

 

(3) Addressbar Spoofing Attacks with Search Engines

If the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.Here I found a Baidu search engine XSS to prove the spoofing attack.

POC:

search_spoof_3

Online DEMO: http://xisigr.com/test/spoof/safari/url20165055483693fb8543.html

FIXED

——————–

Found a XSS in search engines of “Google, YAHOO, Bing……” is very hard. So APPLE repair scheme is to add the search mark in Smart Search bar.

search_spoof_4

CREDIT

——————–

This vulnerability was discovered by xisigr of Tencent’s Xuanwu Lab

(http://www.tencent.com).

Email:xisigr@gmail.com

发表评论

电子邮件地址不会被公开。 必填项已用*标注