Who Discovered The Vulnerability?
The vulnerability was identified by a security researcher named Rafay Baloch and he was able to reproduce the bug only in Safari and Edge browsers, the security researcher immediately informed both the companies Apple and Microsoft about the bug. While Microsoft has responded with the a patch on Edge on August 14th as part of their one of the security updates Apple didn’t provide the patch until now. The three-month grace period prior to public exposure expired a week ago.
While the vulnerability has yet to be given a severity score it has been given a tracking id as CVE-2018-8383. To exploit the vulnerability the attackers were required to trick the victim onto a specially designed website which can be achieved easily and Apple delaying this patch may have left the Safari browser vulnerable allowing the attacker to impersonate any web page as the victim sees the legitimate domain name in the address bar with complete authentication marks. You can read Baloch’s full write up here.
Did The Bug Work?
When the bug was tested with PoC (Proof-Of-Concept) Code, The page was able to load content from Gmail while the page is hosted on sh3ifu.com and it works perfectly although there are some elements that kept loading as the page loaded completely indicating that it an incomplete process.
The only difficulty on Safari is that users cannot type in the fields while the page is still loading. Baloch says that he and his team overcame this issue by adding a fake keyboard on the screen, something that banking Trojans did for years.