The Google security team state that the address bar is the most important security indicator in modern browsers. This part of the browser supplies both the true identity of the website and verification that you are on the right website.
Eric Lawrence, the author of Fiddler, an HTTP debugging proxy, has written about this feature on his personal blog. In his article, he gave reasons why web developers couldn’t interfere with anything above the webpage window, sometimes referred to as The Line of Death, and what problems might occur from this lack of involvement. Despite his efforts to raise awareness, two address bar spoofing incidents took place the same year the blog post was published.
One of the address bar spoofing incidents was the Homograph vulnerability that took place in April 2017. Using the International Domain Name (IDN) feature, which allows domain names to be written in foreign characters, attackers imitate legitimate domains using characters from various alphabets to trick users. This attack is called a Homograph attack.
For example, the xn--80ak6aa92e.com address would show "аррӏе.com" due to IDN which is virtually indistinguishable from "аpple.com", even though these are totally different letters that just happen to look the same. Don't believe us?
- Copy this а here
- Paste it into your browser bar, and press Return
- Did you receive search results for the letter 'a' of the Latin alphabet or the Cyrillic script?
However, browser developers took precautions by releasing security patches that prevented this confusing behaviour shortly after the discovery of the vulnerability. One tactic was to convert an IDN address into the ASCII format in the address bar, which managed to prevent malicious activity.
Address Bar Spoofing in Microsoft Edge and Safari
The second address bar spoofing incident was discovered by Pakistani researcher Rafay Baloch, who lectures at various conferences, such as Blackhat, on his research about browser security. The address spoofing technique he found affected Microsoft Edge and Safari browsers.
- While a website redirected its visitor to another website with with a closed port, the attacker could intervene and change the content of the current web page however they liked.
- Since the URL bar already showed the address of the domain with the closed port , users were led to believe that they were browsing a legitimate site instead of an attacker-controlled one and are convinced to enter their credentials.
- In his proof-of-concept, before redirecting the user to the website with the closed port, Baloch decoded the base64 encoded version of Gmail login page, and then added it to the DOM. Therefore the address in the URL (http://gmail.com:8080) and the phishing page looked very convincing. Baloch managed to keep the spoofed address stable by using the setinterval() function that tried to redirect the user every 100 seconds.
The Code Used to Spoof the Web Browser Address Bar
Baloch used the following code for the aforementioned exploit.
var gmail = 'PCFET0NC8+KArOK.........ZHk+PC9odG1sPg=='; // The base64 encoded version of the Gmail page
The proof-of-concept above was the one working on the Microsoft Edge browsers. The latest security update for Microsoft Edge fixed the vulnerability. Baloch's a tweet announced that Apple also fixed the vulnerability with the release of Safari 12. You can read more about his research on the blog post, Apple Safari & Microsoft Edge Browser Address Bar Spoofing - Writeup.
The address bar is the main component used by web browsers to navigate the internet. Users enter the website they wish to visit. Web security-conscious users may watch the changes on the address they enter as the page loads. Attackers are aware of this, and therefore invent smart ways to deceive the user, such as the Homograph attacks and the vulnerabilities found by Rafay Baloch. Keeping all software, especially web browsers, up to date is crucial to help prevent similar attacks.