CVE-2023-42843 - Address Bar Spoofing in Apple iOS, iPadOS, Safari, and macOS — What You Need to Know

On October 25, 2023, Apple fixed a critical web browser vulnerability, tracked as CVE-2023-42843. The bug is commonly known as address bar spoofing and affects iOS, iPadOS, Safari, and macOS systems. In this post, we’ll break down what the vulnerability is, why it matters, how it’s exploited—including example code—and what you should do to stay protected.

What is Address Bar Spoofing? (Summary of CVE-2023-42843)

Address bar spoofing is a web attack where users are tricked into thinking they are visiting a safe website by showing a fake URL in the browser address bar. In reality, they might be on a dangerous or malicious site, making it easier for attackers to steal sensitive information like passwords or personal data.

This specific bug in Apple’s products stemmed from an inconsistent user interface issue related to web state management, resulting in the address bar displaying the wrong site or URL after a redirection.

Type: Address Bar Spoofing

- Affected Products: iOS, iPadOS (before 16.7.2, 17.1), macOS Sonoma (before 14.1), Safari (before 17.1)
- Patched in: iOS 16.7.2 and 17.1, Safari 17.1, macOS Sonoma 14.1

Exploitation Details & Example Code Snippet

Let’s see how a typical exploit might work for this vulnerability. The attacker could craft a webpage with JavaScript that uses multiple redirects or manipulates browser history to display a fake address in the bar but loads a malicious site.

Example JavaScript Exploit (Conceptual)

<html>
  <body>
    <script>
      // Step 1: Load a harmless URL, then quickly navigate
      window.location.replace('https://safe-site.com';);

      // Step 2: In the newly loaded document, run another redirect (the attacker controls safe-site.com)
      // When exploited, the browser’s address bar might stay as "safe-site.com" even though the attacker loads phishing.html
      // This code would actually be placed on "safe-site.com":
      setTimeout(function() {
        location.replace('https://evil-site.com/phishing.html';);
      }, 10);
    </script>
    <h1>Loading...</h1>
  </body>
</html>

If the browser fails to update the address bar due to inconsistent UI state, the address bar could still display “https://safe-site.com", even though the page now shows content from "evil-site.com/phishing.html". Users are tricked into thinking they're on a trusted website.

Why is This Dangerous?

- Phishing becomes easier: Fake login screens can be displayed with a “safe” domain in the bar.
- Trust is abused: Many users look at the address bar to check legitimacy before submitting sensitive information.

Here are the original Apple advisories and release notes

- Apple Security Update for iOS/iPadOS 16.7.2
- Apple Security Update for iOS/iPadOS 17.1
- Apple Security Update for macOS Sonoma 14.1
- NIST NVD Details for CVE-2023-42843
- Original CVE Record

How Did Apple Fix It?

The bug was resolved by improving "state management" in the browser’s user interface. That means when the web page changes—especially due to redirects or JavaScript manipulation—the browser now properly updates the address bar to reflect the true URL loaded, closing this loophole.

How to Protect Yourself

1. Update your devices: Install the latest iOS, iPadOS, Safari, or macOS updates. These patches fix the vulnerability.

Conclusion

CVE-2023-42843 highlights just how easy it is for malicious sites to abuse small inconsistencies in browser UI to perform major attacks like phishing. The best protection is to keep your devices updated and stay aware of the risks.

If you found this write-up useful, please share it to help others stay secure. For the most up-to-date information, always refer to Apple's official security updates page.

Timeline

Published on: 02/21/2024 07:15:48 UTC
Last modified on: 11/04/2024 17:35:05 UTC