14 Sep 2018
Vulnerability in Safari and Edge browsers could allow address swapping in the address bar. The attacker can replace the content of the page without changing the site address in the browser's address bar. This is a bug in browsers that allows JavaScript to change the address in the address bar before the browser loads the web page completely.
The vulnerability was discovered by security expert Rafay Bullock. It has exploited the vulnerability only in Safari and Edge browsers. He informed Microsoft and Apple about these vulnerabilities. Microsoft released a security update to Edge on August 14th. Apple has not yet released updates for this vulnerability.
Demonstration of vulnerability by Rafay Baloch - see the video.
This vulnerability is serious and everyone who uses Edge must update their Windows with the latest updates. For now, it is advisable to avoid using Safari and use another browser to access banking sites, online payment systems and other sites where you share sensitive information.
If you find something suspicious like spelling mistakes or others on the web page you are on, check the certificate by clicking on the padlock on the left side of the address bar. Check for which organization it is issued. If it is not issued for the company name on the site, it is highly recommended that you close it and access the site from search engines or a bookmark. Change the password of the email address associated with the account as well as the account password.
