CVE-2022-22654: Address Bar Spoofing Vulnerability in Safari Browser Fixed in watchOS 8.5 and Safari 15.4

A recently discovered user interface vulnerability, CVE-2022-22654, affects Safari web browsers. This flaw, which can potentially lead to address bar spoofing, has been fixed in watchOS 8.5 and Safari 15.4. In this long-form post, we will delve into the details of this vulnerability, demonstrate a code snippet that exploits the issue, and provide links to the original references. By understanding the inner workings of this vulnerability, users and developers can ensure the security of their browsing experience and web applications.

The Vulnerability: Address Bar Spoofing

Address bar spoofing is a technique that attackers use to present misleading information in a web browser's address bar. By exploiting this vulnerability, an attacker could create a malicious website that appears to have a legitimate domain, leading the victim to believe they are visiting a legitimate site. This deceptive technique can be used in phishing attacks and other forms of social engineering to collect sensitive information, such as login credentials and personal data.

CVE-2022-22654 stems from a user interface issue in Safari. When visiting a malicious website, the browser fails to accurately represent the correct web address in the address bar. This vulnerability affects multiple versions of Safari and applies to various platforms, including macOS, iOS, and watchOS.

Here's a simple example of a code snippet that exploits the vulnerability in Safari

<!DOCTYPE html>
<html>
<head>
  <title>Malicious Site</title>
  <script>
    function spoofAddressBar() {
      history.pushState('', '', '/legitimate-site.com');
      setTimeout(() => {
        window.location = 'https://malicious-site.com';;
      }, 500);
    }
  </script>
</head>
<body onload="spoofAddressBar();">
  <h1>Welcome to Malicious Site</h1>
  <p>Observe how the address bar displays "legitimate-site.com" instead of the actual website address "malicious-site.com".</p>
</body>
</html>

This code creates a webpage that, when it is loaded, modifies the browser's address bar to display "legitimate-site.com" instead of the true web address. After 5 seconds, the page automatically navigates to "malicious-site.com." This navigation process is seamless to the user, maintaining the appearance of visiting a legitimate website.

Original References

For more information on CVE-2022-22654 and the official patch notes, please consult the following resources:

- Apple Security Advisory
- CVE-2022-22654 Details

Solution: watchOS 8.5 & Safari 15.4

Fortunately, Apple has addressed this vulnerability in recent updates. Users are advised to upgrade their Safari browser to version 15.4 and update watchOS devices to version 8.5 to protect against address bar spoofing.

To ensure that you have up-to-date and secure software, visit Apple's software update page for instructions on updating your devices:

- Software Update on your Mac
- Update your iPhone, iPad, or iPod touch
- Update your Apple Watch

Conclusion

CVE-2022-22654 is a critical user interface vulnerability that has now been fixed in watchOS 8.5 and Safari 15.4. By understanding the implications of address bar spoofing and taking a proactive approach to updates and patches, users and developers can safeguard their browsing experience and protect sensitive information. Stay vigilant against these types of vulnerabilities and be sure to keep software up-to-date to maintain a secure online presence.

Timeline

Published on: 03/18/2022 18:15:00 UTC
Last modified on: 03/24/2022 19:10:00 UTC