:neo:safari_url_spoof
http://www.neoresearch.org/[neo]safari_url_spoof.html

:intro:
 Following the discovery by Benjamin Tobias Franz for spoofing URLs in IE by using tables within links.
 [http://www.packetstormsecurity.nl/0410-advisories/msieLink.txt]


It is possible to spoof URLs under OS X in the latest Safari browser 1.2.3 (v125.9) by using the same method.
 By putting tables within links, safari (like IE) can't handle the links correctly, thus displaying the incorrect URL, making it succeptible to URL spoofing.

 Tested on OS X 10.3.5 (build 7M34) with latest software update.

Ironically, this does not work with Internet Explorer on OS X version 5.2.3 (5815.1).


:example:
 <a href="http://www.apple.com/"><table><tr><td><a href="http://www.google.com/">Click here</td></tr></table></a>


:threat:
 this can be used for phising attacks to trick users to divulge sensitive information such as banking authentication details.


:solution:
 A new update to Safari is required to protect against this URL Spoofing attack. Apple have been advised 1/11/04 via "Report bugs to Apple" within Safari.


Gilbert Verdian
neoresearch.org