Graphic for illustration

Cybersecurity investigators on Tuesday unveiled details of an address bar that risks spoofing affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spoofing phishing attacks and malicious software deliveries.

Other browsers affected include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser.

The defects were discovered by Pakistani security researcher Rafay Baloch in the summer of 2020 and jointly reported by Baloch and cybersecurity company Rapid7 in August before being greeted by browser makers over recent weeks.

UCWeb and Bolt Browser remain unmatched to date, while Opera Mini is expected to receive a solution on November 11, 2020.

The issue stems from using a malicious executable JavaScript code in an arbitrary website to force the browser to update the address bar while the page is still loading to another address of the attacker’s choice.

browser spoofing hack
Original PoC demo

“The vulnerability occurs because Safari keeps the URL address bar when requested over an arbitrary port, the dedicated break function reloads every 2 milliseconds and so the user is not able to identify the redirect from the original URL to a spoofed URL, “Rafay Baloch said in a technical analysis.

“What makes this vulnerability more effective in Safari by default is not revealing a port number in URL unless and until focus is set through a cursor.”

Put differently; an attacker can set up a malicious website and attract the target to open the link from a spoofed email or text message, thereby leading an unknowing recipient to download malicious software or risk stealing his credentials.

The research also found that the macOS version of Safari is vulnerable to the same bug, which was addressed according to Rapid7 in a macOS Big Sur update released last week.

This is not the first time such a vulnerability has been seen in Safari. Back in 2018, Baloch revealed a similar type of address bar spoofing that caused the browser to protect the address bar and upload the content from the spoofed page through a JavaScript-induced timing delay.

“With the increasing sophistication of spear phishing attacks, exploiting browser-based vulnerabilities such as address bar spoofing can worsen the success of spear phishing attacks and thus prove to be very fatal,” said Baloch.

“First of all, it is easy to persuade the victim to steal testimonials or distribute malicious software when the address bar points to a trusted website and without any falsifying indicators, secondly because the vulnerability exploits a feature specifically in a browser, it can avoid several counter – plans and phishing solutions. “


Please enter your comment!
Please enter your name here