Posted by Mustafa Al-Bassam on Jul 02

That’s pretty neat. Played around with this and made a few discoveries.

1. It shows a valid certificate when you spoof HTTPS sites. That’s really bad. POC/screenshot:
https://github.com/musalbas/address-spoofing-poc

2. The page isn’t responsive when using this flaw. That means you can’t spoof a login box for example. (I tried.)

3. The success of the exploit seems to depend on if the browser can start loading content.html…