Introduction

Safari and Google Chrome's auto-resolve/auto-search when typing something in the URL bar can be a liability.

Given a configured automatic proxy, typing in the Safari URL bar: localhost:8384 may make Safari resolve that to:

www.localhost.com:8384

Similarly, typing: 127.0.0.1:8384 would make Safari resolve that to:

www.127.0.0.1:8384

This happens regardless whether the network settings Exclude simple hostnames and Bypass proxy settings for these Hosts & Domains are configured or not:

They seem to have no effect and Safari will still resolve the loopback address 127.0.0.1 to www.127.0.0.1 and localhost:8384 to www.localhost.com:8384.

In case the query contains some POST or GET data that contains sensitive information, then it is trivial for someone to mount a Girl-In-The-Sandwich (MITM) attack by just registering the www.localhost.com domain or the www.127.0.0.1 domain and simply dumping any incoming data.

Similarly, under certain circumstances, Google Chrome's and Safari's feature of searching for what you type in the URL bar, will make the entire domain be forwarded to Google search. Even though it may send that data through HTTPs, that is still a case of information disclosure to Google and other third parties.

For example, some wikis require you to navigate to a non-existing page via the URL bar, in order to create that page and add content. However, given Safari and Chrome's integrated search, if the page does not exist, Google search will not find it and instead the URL will be dumped to Google as a search:

This is the shipped default behaviour and to even be able to navigate to the intended URL, one has to chose the option Go to Site […] which is available after the Google search.