Mobile users are exposed to a serious security problem due to vulnerable browsers on their devices. Security researchers have disclosed address bar spoofing vulnerabilities in multiple mobile browsers threatening user security.
Address Bar Spoofing In Multiple Mobile Browsers
Cybersecurity firm Rapid7 has recently disclosed the existence of address bar spoofing bugs in numerous mobile browsers. Upon exploitation, these bugs can cause serious damages to the users as they won’t ever guess the fake pages.
Briefly, around 10 different bugs affected the seven mobile browsers, including some popular ones. Specifically, the vulnerable browsers include the UC Browser, Opera Mini, Opera Touch, Yandex Browser, Bolt Browser, RITS Browser, and Apple Safari.
Despite being different, all the bugs had the same impact, address bar spoofing.
It means an attacker could spoof the URLs of legit websites as the links for malicious web pages. In such attacks, the attacker doesn’t need to hijack the target legit website. Rather the attacker aims at exploiting the vulnerabilities in a specific browser to incorrectly display the URL.
Since a user can only check the legitimacy of a site by looking at the URL, address bar spoofing can easily trick the users.
That’s why browsers should remain wary of such bugs that can lead to spoofing.
According to Rafay Baloch, a security researcher who discovered the bugs,
First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.
Patches Coming Out Slowly…
The bugs first caught the attention of Pakistani security researcher Rafay Baloch. He has shared the technical details of the bugs and the PoC in his paper. Rapid7 then coordinated with Baloch to disclose the bugs to the respective vendors.
The vendors had a 60-day time-period for patching the bugs. Since the deadline is now, the researchers have disclosed the bugs publicly.
So now, the situation is, Apple and Opera users are safe since both vendors responded swiftly to the bug report. Opera Mini awaits patch for which the vendors have committed a fix release for November 11, 2020.
Yandex and RITS also responded before public disclosure and committed fixes in the subsequent browser releases.
However, the users of UC Browser need to be careful since the vendors didn’t respond to the bug report. It isn’t clear whether they have patched or are planning to patch the bugs anytime soon.