In early 2022, Apple fixed a user interface vulnerability that could have allowed malicious websites to spoof the address bar in Safari and on Apple Watch devices. Tracked as CVE-2022-22654, this vulnerability highlights how UI flaws can compromise even secure systems. In this post, we’ll break down what the issue was, how it worked, show a simple exploit demo, and link to the official sources. If you’re building web apps or care about your online security, read on!

What is CVE-2022-22654?

CVE-2022-22654 is an Apple-assigned identifier describing an address bar spoofing flaw in Safari and watchOS. It’s a user interface bug—not a deep system exploit—where a malicious website could make the browser’s address bar show the wrong URL. In practical terms, this means you could be tricked into thinking you’re visiting a trusted site while, in reality, you’re on a fake one. This vulnerability was patched in Safari 15.4 and watchOS 8.5.

- Apple Security Advisory: HT213087
- CVE Details: Mitre CVE-2022-22654

Why Is Address Bar Spoofing Dangerous?

The address bar is the primary way users check if a site is legitimate. If this information can be tricked, attackers could:

Bypass user skepticism that would normally protect them.

Even if the vulnerability isn’t a direct system compromise, it opens the door to real-world scams.

How Did the Vulnerability Work?

The exact technical details aren’t fully published, but here’s a simplified explanation and a recreated proof-of-concept (PoC) based on public researcher write-ups and prior spoofing attacks.

Essentially, the flaw was in the browser’s JavaScript and UI handling. Attackers could update the address bar’s display after redirecting the user, or hide navigation while showing a fake domain.

User visits a malicious website.

2. The website uses JavaScript to quickly load a second, trusted site in an iframe (or with window.open), then overlays a fake address bar or manipulates history and location.

Example Exploit Code (Proof of Concept)

Below is a basic JavaScript snippet that demonstrates a sort of address bar spoofing. The user is tricked into seeing "https://apple.com" in the bar, but they're still on the attacker's page. (This is for educational purposes; most modern browsers now block these tricks.)

<!DOCTYPE html>
<html>
<head>
  <title>Address Bar Spoof Demo</title>
  <meta charset="UTF-8">
  <script>
    function spoof() {
      // Load trusted site in an iframe after a user action or short delay
      setTimeout(function() {
        window.location.replace('https://apple.com');
        // OR manipulate the address bar (not allowed everywhere)
        // history.pushState({}, '', 'https://apple.com');
      }, 200);
    }
  </script>
</head>
<body onload="spoof()">
  <h1>Welcome to Safe Site!</h1>
  <p>If this works, you’ll soon see apple.com in your address bar—while you’re not actually there.</p>
</body>
</html>

In reality, many security improvements in browsers now prevent straight-up address bar tampering, but the flaw in Safari and watchOS involved subtle timing and UI quirks that allowed more convincing spoofing.

watchOS 8.5 (March 2022)

The fix involved tightening the synchronization between the actual page content and the address bar, closing loopholes in how redirects and navigation events update the UI.

Apple’s Release Notes:

- Safari 15.4  
   - watchOS 8.5

Update Your Device:

If you’re running any version below Safari 15.4 or watchOS 8.5 (especially old Apple Watch models), you are at risk and should update immediately.

Conclusion

CVE-2022-22654 may seem minor—just a UI issue—but it’s a good reminder that trust in the web starts with what you see in the browser address bar. For both users and developers, keeping your Apple software updated is essential. Address bar spoofing is one of those vulnerabilities that’s simple, but potentially devastating if left unpatched. Apple responded quickly, but always stay on top of updates and don’t take the URL at face value!

References

- Apple Official Security Update (HT213087)
- CVE-2022-22654 (Mitre)
- Safari Release Notes
- Bug Bounty Report Example (archive)


*Stay secure, and never trust the address bar until you know your browser is patched!*

Timeline

Published on: 03/18/2022 18:15:00 UTC
Last modified on: 03/24/2022 19:10:00 UTC