【CVE-2015-7093】Apple Safari Dialog Origin Spoofing Vulnerability

Vulnerability Details:

Apple Safari is prone to a dialog box origin spoofing vulnerability. This issue may allow a remote attacker to carry out phishing style attacks. The vulnerability presents itself as dialog boxes from inactive windows may appear in other active windows. An attacker can exploit this issue by creating a malicious Web site and enticing a user to follow a link to the site. If the user follows the link, the attacker can then trigger this issue by somehow enticing a user to follow another link to a trusted site in a new window. The attacker can then display a spoofed dialog box to the user that seemingly originates from the trusted site. Typically this dialog box would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This vulnerability may aid in phishing style attacks.

Disclosure Timeline:

2015/8/25 Provide vulnerability detail to APPLE via product-security@apple.com
2015/8/25 APPLE automatic reply
2015/8/26 APPLE responded that they are verifying the proof of concept code
2015/11/17 APPLE asked how would you like to be acknowledged
2015/12/9 APPLE advisory disclosed,the issue was fiexed in IOS9.2. CVE-2015-7093

References:

https://support.apple.com/HT205635
http://lists.apple.com/archives/security-announce/2015/Dec/msg00000.html

Credit:

This vulnerability was discovered by: xisigr

Attack Video:

发表评论

电子邮件地址不会被公开。 必填项已用*标注