HomeWinBuzzer NewsMicrosoft Edge Protected Against New Spoofing Technique

Microsoft Edge Protected Against New Spoofing Technique

Reacting to a 90-day notice from a security research, Microsoft updated Microsoft Edge to mitigate against an address bar vulnerability.


often touts the security capabilities of its web browser. At the moment, it seems the company has good reason to. A new phishing technique has been discovered that aims to trick users into handing over data. Microsoft has pre-empted this attack as Edge is already protected against the technique.

The phishing in question is a spoofing attack discovered by security researcher Rafay Balock. He produced the attack on Microsoft Edge and reported it to Microsoft. In its August security cumulative updates, the company was able to issue a mitigation.

Baloch says the spoofing attack targets the browser address bar. Bad actors can trick users by manipulating the address bar to let them think they are on a legitimate website.

The researcher published a paper title “Bypassing Browser Security Policies For Fun And Profit“.


In the paper, Baloch shows how he found address bar spoofing techniques. He details how one vulnerability is found in Microsoft Edge and 's .

“During my testing, it was observed that both Edge and Safari browser allowed javascript to update the address bar while the page was still loading. Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing.

“It causes browser to preserve the address bar and to load the content from the spoofed page. The browser will however eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”


The good news for users of both browsers is that they are shored up against the vulnerability. Microsoft protected Edge with the of a mitigation against CVE-2018-8383 last month.

Baloch says he informed Microsoft of the flaw on June 9 and was working on 's Project Zero principal. That means Microsoft had 90 days to respond to the vulnerability. This is actually a security method Redmond disagrees with, but the fix was issued on Patch Tuesday (Aug 14).

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News