From the department of things that aren't what they seem, researchers have demonstrated a new address-spoofing exploit that tricks Safari users into thinking they're visiting one site when in fact the Apple-made browser is connected to an entirely different address.

The recently published proof-of-concept exploit causes the Safari address bar to display dailymail.co.uk even though the browser is displaying content from deusen.co.uk. It works on fully patched versions of iOS and OS X. Malicious attackers might use the bug to dupe Safari users into thinking they're connecting to a trusted site instead of one that's phishing their login credentials or attempting to install malware.

The demo code isn't perfect. On the iPad Mini Ars tested, the address bar periodically refreshed the address as the page appeared to reload. The behavior might tip off more savvy users that something is amiss. Still, many users would surely fail to spot the unusual refresh. What's more, the refresh behavior wasn't observed on a MacBook Pro Ars also tested.

Jeremiah Grossman, CTO of Web security firm White Hat Security, called the hack "clever." Based on a quick analysis of the JavaScript the demo relies on, the page appears to force Safari to visit the dailymail URL, as is reflected in the browser's user interface. Before the page can be loaded, the script quickly hits another URL. The script looks like this:

<script> function f() { location="dailymail.co.uk/home/index.htm…"+Math.random(); } setInterval("f()",10); </script>

The vulnerability was uncovered by the same researchers who in February reported a bug in a fully patched Internet Explorer version that put user credentials at risk.