Mobile browsers experience vulnerabilities in Address Bar
The presence of address bar spoofing vulnerabilities in various smartphone browsers has recently been exposed by cybersecurity company Rapid7. Upon exploitation, these bugs will do significant harm to the multiple users since they won’t even recognize the bogus pages. The seven smartphone browsers, including some common ones, were infected by about 10 different vulnerabilities. Specifically, the UC Browser, Opera Mini, Opera Touch, Yandex Browser, Bolt Browser, RITS Browser, and Apple Safari are insecure browsers.
Regardless of being extraordinary, all the bugs had a similar effect address bar spoofing. It means that an attacker may spoof the URLs of legitimate websites to malicious web pages. The intruder does not need to hijack the legitimate goal website in such attacks. Instead, the attacker tries to manipulate the bugs in each browser to view the URL improperly. Since a client can check the authenticity of a URL by taking a gander at the URL, address bar ridiculing can undoubtedly deceive the users. That is the reason browsers ought to stay careful about such bugs that can lead to spoofing.
According to Rafay Baloch, a security researcher who discovered the bugs, “First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”
The vulnerabilities originally grabbed the eye of Pakistani security researcher Rafay Baloch. In his article, he shared the bugs technical descriptions and the PoC- Proof of Concept. Rapid7 then coordinated with Baloch to report the vulnerabilities to the respective vendors. The vendors had a 60-day timeframe for fixing the bugs. The circumstance is that Apple and Opera clients are sheltered since the two sellers reacted quickly to the bug report.
Opera Mini awaits a patch for which a set release for November 11, 2020, has been committed by the vendors. In the subsequent browser updates, Yandex and RITS both reacted before public disclosure and dedicated fixes. Notwithstanding, the UC Browser users should be cautious since the vendors didn’t react to the bug report. It isn’t certain whether they have fixed or are wanting to fix the bugs at any point soon.
Affected Browsers by Rapid7
CVE | Vendor | Browser | Version | Platform | Fixed? |
CVE-2020-7363 | UCWeb | UC Browser | 13.0.8 | Android | Fixed v13.3.2 on Oct 21, 2020 |
CVE-2020-7364 | UCWeb | UC Browser | 13.0.8 | Android | Fixed v13.3.2 on Oct 21, 2020 |
CVE TBD-Opera | Opera | Opera Mini | 51.0.2254 | Android | Fix expected from vendor Nov. 11, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fixed in version 2.4.5 released Sep 15, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fixed in version 2.4.5 released Sep 15, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fixed in version 2.4.5 released Sep 15, 2020 |
CVE-2020-7369 | Yandex | Yandex Browser | 20.8 | Android | Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4. |
CVE-2020-7370 | Danyil Vasilenko | Bolt Browser | 1.4 | iOS | Support email bounced, alerted Apple product security |
CVE-2020-7371 | Raise IT Solutions | RITS Browser | 3.3.9 | Android | Fix expected Oct. 19, 2020 |
CVE-2020-9987 | Apple | Safari | iOS 13.6 | iOS | Fix released Sept. 16, 2020 |