XLAB ID: XLAB-15-022     

CVE ID: CVE-2015-7093     

Patch Status: Fixed

Vulnerability Details:
Apple Safari is prone to a dialog box origin spoofing vulnerability. This issue may allow a remote attacker to carry out phishing style attacks. The vulnerability presents itself as dialog boxes from inactive windows may appear in other active windows. An attacker can exploit this issue by creating a malicious Web site and enticing a user to follow a link to the site. If the user follows the link, the attacker can then trigger this issue by somehow enticing a user to follow another link to a trusted site in a new window. The attacker can then display a spoofed dialog box to the user that seemingly originates from the trusted site. Typically this dialog box would mimic the legitimate site. An attacker may exploit this vulnerability to spoof an interface of a trusted web site. This vulnerability may aid in phishing style attacks.

Disclosure Timeline:

2015/8/25 Provide vulnerability detail to APPLE via product-security@apple.com
2015/8/25 APPLE automatic reply
2015/8/26 APPLE responded that they are verifying the proof of concept code
2015/11/17 APPLE asked how would you like to be acknowledged
2015/12/9 APPLE advisory disclosed,the issue was fiexed in IOS9.2. CVE-2015-7093

This vulnerability was discovered by:   xisigr