Apple Safari Dialog Origin Spoofing Vulnerability
XLAB ID: XLAB-15-022
CVE ID: CVE-2015-7093
Patch Status: Fixed
Vulnerability Details:
Apple Safari is prone to a dialog box origin spoofing vulnerability. This issue may allow a remote attacker to carry out phishing style attacks. The vulnerability presents itself as dialog boxes from inactive windows may appear in other active windows. An attacker can exploit this issue by creating a malicious Web site and enticing a user to follow a link to the site. If the user follows the link, the attacker can then trigger this issue by somehow enticing a user to follow another link to a trusted site in a new window. The attacker can then display a spoofed dialog box to the user that seemingly originates from the trusted site. Typically this dialog box would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This vulnerability may aid in phishing style attacks.
Disclosure Timeline:
| 2015/8/25 | Provide vulnerability detail to APPLE via product-security@apple.com |
|---|---|
| 2015/8/25 | APPLE automatic reply |
| 2015/8/26 | APPLE responded that they are verifying the proof of concept code |
| 2015/11/17 | APPLE asked how would you like to be acknowledged |
| 2015/12/9 | APPLE advisory disclosed,the issue was fiexed in IOS9.2. CVE-2015-7093 |
Credit:
This vulnerability was discovered by: xisigr