*Abstract:* The PhishingAlert of Safari stops functioning in Windows systems if an abnormal URL is being used. *Details:* There is a defense mechanism in Safari which recognizes URL deceits such as http://www.baidu.com@evil.com. The phishing alert will be activated once the HTTP URL that we want to access contains userinfo information. (as the picture below shows) [image: ÄÚǶͼƬ 1] > http://apple.com@xsser.me/ *Proofs of concept:* We discovered in our researches that if one or two ¡°/¡± are being added before the host name, then the PhishingAlert could be bypassed. (Password of userinfo must be available) [image: ÄÚǶͼƬ 2] http://apple.com:£¯@/xsser.me/ *From:*http://en.wooyun.org/bugs/wooyun-2013-014 -- WooYun, an Open and Free Vulnerability Reporting Platform For more information, please visit *http://en.wooyun.org/about.php *