Apple Safari Addressbar Spoofing Attacks with Search Engines on IOS

I reported the vulnerability to the APPLE in February 1, 2016 , The vulnerabilities are discussed in this article have been fixed. I think this is a very interesting logical bug, which makes the smart search bar becoming dangerous!

 

AFFECTED PRODUCTS

——————–

User Agent:

Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/ 601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E5191d Safari/601.1

DESCRIPTION

——————–

In the Safari browser for IOS, the addressbar and the smart search bar are combined together, in the settings of the Safari can choose the default search engine: such as YAHOO, Google, Bing, Baidu, DuckDuckGo……. when searching for a URL in the default search engine,the URL will be displayed on the Omnibox. According to this characteristic, if the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.

PoC

——————–

Testing environment:

1, set the default search engine for Baidu

2, IPhone/IPAD

(1) Safari search in IPhone

POC:

(2) Safari search in IPAD

POC:

 

(3) Addressbar Spoofing Attacks with Search Engines

If the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.Here I found a Baidu search engine XSS to prove the spoofing attack.

POC:

Online DEMO: http://xisigr.com/test/spoof/safari/url20165055483693fb8543.html

FIXED

——————–

Found a XSS in search engines of “Google, YAHOO, Bing……” is very hard. So APPLE repair scheme is to add the search mark in Smart Search bar.

CREDIT

——————–

This vulnerability was discovered by xisigr of Tencent’s Xuanwu Lab

(http://www.tencent.com).

Email:xisigr@gmail.com