Ask HN: Safari omnibar spoofing vulnerability?

1 point

14 years ago

I've noticed that a recent update (Mountain Lion?) has brought the omnibar to Safari. And I've also noticed another nice touch - if you search for something using the omnibar, rather than the url changing to something like google.com/search?q=search term, the search term itself stays in the address bar.

However - this means that if you search for an _actual_ url, it _also_ gets displayed in the url bar.

If you have Google as your default search engine, and you click this url: http://www.google.com/search?q=www.apple.com you will see www.apple.com in your address bar.

Isn't this a vector for a spoofing attack? Couldn't someone craft a "search engine" that makes it look like you're on a facebook.com login page, and use it to steal passwords?

2 comments