CVE-2015-3729

Vulnerability

CVE-2015-3729 is a user interface spoofing vulnerability in Apple Safari versions prior to 6.2.8, 7.1.8, and 8.0.8. The browser does not visually indicate which web site originated an input prompt (e.g., a dialog requesting text input). This allows a malicious website to open another site in a frame or window and then present a prompt that appears to come from the trusted site. The issue exists in the Safari application as used on OS X Mountain Lion 10.8.5, Mavericks 10.9.5, and Yosemite 10.10.4, and also in iOS before 8.4.1 [1][2].

Exploitation

An attacker must host a crafted web page that, when visited by the victim, can open a legitimate site (e.g., a bank or email login) and then display a browser-level input prompt without clearly labeling the originating domain. No authentication or special privileges are required beyond luring the victim to the malicious site via a link or advertisement. The prompt itself may solicit sensitive information such as usernames, passwords, or other credentials [2].

Impact

Successful exploitation allows the attacker to perform user interface spoofing: the victim sees a prompt that appears to be from a trusted site but is actually controlled by the attacker. This can lead to disclosure of sensitive information (e.g., credentials) the user enters into the prompt, resulting in a compromise of confidentiality and potential downstream account takeover [1][2].

Mitigation

Apple addressed this vulnerability in Safari 6.2.8, 7.1.8, and 8.0.8, and in iOS 8.4.1, all released on August 13, 2015. The fix involves displaying the prompt origin to the user, so the user can identify the actual requesting site. Users should update to the latest versions of Safari or iOS. No workarounds are documented; running an unpatched version leaves users exposed [1][2].