Vulnerability Details:

Apple Safari is prone to a dialog box origin spoofing vulnerability. This issue may allow a remote attacker to carry out phishing style attacks. The vulnerability presents itself as dialog boxes from inactive windows may appear in other active windows. An attacker can exploit this issue by creating a malicious Web site and enticing a user to follow a link to the site. If the user follows the link, the attacker can then trigger this issue by somehow enticing a user to follow another link to a trusted site in a new window. The attacker can then display a spoofed dialog box to the user that seemingly originates from the trusted site. Typically this dialog box would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This vulnerability may aid in phishing style attacks.

Disclosure Timeline:

2015/8/25 Provide vulnerability detail to APPLE via
2015/8/25 APPLE automatic reply
2015/8/26 APPLE responded that they are verifying the proof of concept code
2015/11/17 APPLE asked how would you like to be acknowledged
2015/12/9 APPLE advisory disclosed,the issue was fiexed in IOS9.2. CVE-2015-7093



This vulnerability was discovered by: xisigr

Attack Video:


Safari for MAC:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/600.6.3 (KHTML, like Gecko) Version/8.0.6 Safari/600.6.3

Safari for IPad:
Mozilla/5.0 (iPad; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F69 Safari/600.1.4

Safari for Iphone:
Mozilla/5.0 (iPhone; CPU OS 8_3 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Version/8.0 Mobile/12F70 Safari/600.1.4

A domain with a port number in the Safari browser, if the colon (:) behind is the non digital, displayed the colon (:) before the domain name in the address bar , the default page rendering can be blank and be changed arbitrarily. The attacker can carefully construct a malicious phishing page, forged any domain in the address bar, and change the content of the page. In Iphone/Ipad, JavaScript create alerts and warnings of the source is forged, and the HTTPS in the address bar will be with a small lock icon, which makes users believe that the current domain is more credible.

POC for Ipad/Iphone

Save as url.html, and open in Safari.


Save as url.html, and open in Safari.

This vulnerability was discovered by xisigr of Tencent’s Xuanwu LAB(
Attack Video

Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities.


———————————————-update: 2016/3/17—————————————-

Bypassing SOP and shouting hello before you cross the pond


屏幕快照 2016-03-17 下午9.03.29



Safari browser has a function for viewing the thumbnail, the current page generated thumbnail should be consistent with its, such as the current page is, then the generated thumbnail page also should be But there is a logical error on the thumbnail, an attacker can attack the thumbnail, when the user has access to a normal page, the attacker can replace the current page thumbnail.