Security researchers on Tuesday reveal a set of address bar spoofing vulnerabilities about Multiple Address Bar. Ranging from the more common browsers, for example, Apple Safari and Opera Touch, and also other browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser open for spear-phishing attacks and delivering malware.
Address bar spoofing vulnerabilities have been around since the early days of the web, but they have never been so dangerous as they are today. Rafay Baloch in the summer of 2020 and jointly reported by Baloch and cybersecurity firm Rapid7 in August before they were communicated to the browser developer over the last few days.
Spoofing Vulnerabilities in Affected Browser.
The problem came across earlier this year and reported to browser makers in August. The big vendors patched the issues right away, UCWeb and Bolt Browser remain unpatched as yet, while Opera Mini is expected to receive a fix on November 11, 2020, List In Blow
CVE-2020-7363 | UCWeb | UC Browser | 13.0.8 | Android | No reply from vendor |
CVE-2020-7364 | UCWeb | UC Browser | 13.0.8 | Android | No reply from vendor |
CVE TBD-Opera | Opera | Opera Mini | 51.0.2254 | Android | Fix expected from vendor Nov. 11, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fixed in version 2.4.5 released Sep 15, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fixed in version 2.4.5 released Sep 15, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fixed in version 2.4.5 released Sep 15, 2020 |
CVE-2020-7369 | Yandex | Yandex Browser | 20.8 | Android | Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4. |
CVE-2020-7370 | Danyil Vasilenko | Bolt Browser | 1.4 | iOS | Support email bounced, alerted Apple product security |
CVE-2020-7371 | Raise IT Solutions | RITS Browser | 3.3.9 | Android | Fix expected Oct. 19, 2020 |
CVE-2020-9987 | Apple | Apple | iOS 13.6 | iOS | Fix released Sept. 16, 2020 |
Table Copy by Rapid7
In this outline, the attacker would construct a URL that inserts both RTL and LTR characters. Baloch gave the example of.:
When you browse the page in your phone browser, it would misunderstand how to display the text and show it as.:
The above Javascript renders in a browser as a hyperlink on the “test” text, and when clicked, shows an in-browser rendering of the “This is not Bing” text in a window attributed to bing.com, as shown below
.
Now, some browsers are more popular than others, but even some of these relatively obscure browsers have some pretty impressive download stats—the least popular, Bolt, has over 210,000 reviews. And ranks No. 47 in the App Store, and UC Browser is probably the most popular non-FOCES browser around, with over 500 million downloads from Google Play. Yandex is pretty popular, too, at over 100 million installs, and RITS is sitting at over a million. So, altogether, nothing to sneeze at, installation-wise. as per rapid7 data
“With the ever-growing sophistication of spear-phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” Baloch said.
First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators of forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.