

Ask HN: Safari omnibar spoofing vulnerability? - Johngibb

I've noticed that a recent update (Mountain Lion?) has brought the omnibar to Safari. And I've also noticed another nice touch - if you search for something using the omnibar, rather than the url changing to something like google.com/search?q=search term, the search term itself stays in the address bar.<p>However - this means that if you search for an _actual_ url, it _also_ gets displayed in the url bar.<p>If you have Google as your default search engine, and you click this url: http://www.google.com/search?q=www.apple.com you will see www.apple.com in your address bar.<p>Isn't this a vector for a spoofing attack? Couldn't someone craft a "search engine" that makes it look like you're on a facebook.com login page, and use it to steal passwords?
======
Johngibb
Click this using Mountain Lion Safari and look in your address bar to see what
I mean: <http://www.google.com/search?q=www.apple.com>

------
brunolazzaro
It kind of does. But to exploit the vulnerabilty, one must change the search
engine first to a "spoofing" one. I don't know if this can be done via
extensions as is done in chrome.

