Ask HN: Safari omnibar spoofing vulnerability?

1 points by Johngibb ↗ HN
I've noticed that a recent update (Mountain Lion?) has brought the omnibar to Safari. And I've also noticed another nice touch - if you search for something using the omnibar, rather than the url changing to something like google.com/search?q=search term, the search term itself stays in the address bar.

However - this means that if you search for an _actual_ url, it _also_ gets displayed in the url bar.

If you have Google as your default search engine, and you click this url: http://www.google.com/search?q=www.apple.com you will see www.apple.com in your address bar.

Isn't this a vector for a spoofing attack? Couldn't someone craft a "search engine" that makes it look like you're on a facebook.com login page, and use it to steal passwords?

2 comments

[ 4.1 ms ] story [ 15.8 ms ] thread
It kind of does. But to exploit the vulnerabilty, one must change the search engine first to a "spoofing" one. I don't know if this can be done via extensions as is done in chrome.