Data belonging to as many as 1 billion iPhone users remains vulnerable to attempts by hackers to steal personal information by exploiting a security flaw in the Safari browser.

Safari is the default internet browser in Apple devices.

Pakistani information security expert Rafay Baloch found these security bugs in Edge, Microsoft’s default browser, and Safari some months ago.

As per standard practice, Baloch privately alerted both companies that attackers could use this loophole to imitate websites without changing the URL addresses in the browsers.

According to the details that Baloch shared with Samaa Digital, an attacker can load a page on these browsers that has fake log-in and other forms without altering the URL. The URL will give users the impression that the page is legitimate.

“This flaw undermines Google’s claim that the address bar is the only reliable security indicator in modern browsers,” Baloch says.

After the information security researcher shared evidence of his findings with the companies, Microsoft was able to resolve it, but Apple could not. Therefore, iPhone users still remain vulnerable to what is known as a spoofing attack.

“To avoid placing our customers at risk, we would appreciate you not disclosing this information until our investigation is complete and any necessary updates are publicly available,” someone called Jonathan from Apple’s Product Security department wrote back to Baloch.

However, Baloch insists he made a responsible disclosure and gave the company over 100 days to fix the bug, an international practice, before making it public – Baloch has previously helped Google, Paypal and other tech firms fix security flaws in their information systems, which earned him accolades as one of the world’s leading information security experts.

In his YouTube videos, Baloch has demonstrated how an attacker can use this bug and imitate a website to steal information like usernames and passwords. Baloch has also written a blog post detailing his discovery.