A Set of Address Bar Spoofing Vulnerabilities in Mobile Browser

Spoofing VulnerabilitiesSecurity researchers on Tuesday reveal a set of address bar spoofing vulnerabilities about Multiple Address Bar. Ranging from the more common browsers, for example, Apple Safari and Opera Touch, and also other browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser open for spear-phishing attacks and delivering malware.

Address bar spoofing vulnerabilities have been around since the early days of the web, but they have never been so dangerous as they are today. Rafay Baloch in the summer of 2020 and jointly reported by Baloch and cybersecurity firm Rapid7 in August before they were communicated to the browser developer over the last few days.

The Rapid7 exec announces that by messing with the timing between when the page loads and when the browser gets a possibility to refresh the address bar URL, a malicious site could force the browser to show the incorrect address.

Spoofing Vulnerabilities in Affected Browser.

The problem came across earlier this year and reported to browser makers in August. The big vendors patched the issues right away, UCWeb and Bolt Browser remain unpatched as yet, while Opera Mini is expected to receive a fix on November 11, 2020, List In Blow

CVE-2020-7363 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE-2020-7364 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE TBD-Opera Opera Opera Mini 51.0.2254 Android Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fixed in version 2.4.5 released Sep 15, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fixed in version 2.4.5 released Sep 15, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fixed in version 2.4.5 released Sep 15, 2020
CVE-2020-7369 Yandex Yandex Browser 20.8 Android Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370 Danyil Vasilenko Bolt Browser 1.4 iOS Support email bounced, alerted Apple product security
CVE-2020-7371 Raise IT Solutions RITS Browser 3.3.9 Android Fix expected Oct. 19, 2020
CVE-2020-9987 Apple Apple iOS 13.6 iOS Fix released Sept. 16, 2020

Table Copy by Rapid7

In this outline, the attacker would construct a URL that inserts both RTL and LTR characters. Baloch gave the example of.:

127.0.0.1/|/http://example.com.

When you browse the page in your phone browser, it would misunderstand how to display the text and show it as.:

http://example.com/|/127.0.0.1

The above Javascript renders in a browser as a hyperlink on the “test” text, and when clicked, shows an in-browser rendering of the “This is not Bing” text in a window attributed to bing.com, as shown below

.Mobile Browser

 

Now, some browsers are more popular than others, but even some of these relatively obscure browsers have some pretty impressive download stats—the least popular, Bolt, has over 210,000 reviews. And ranks No. 47 in the App Store, and UC Browser is probably the most popular non-FOCES browser around, with over 500 million downloads from Google Play. Yandex is pretty popular, too, at over 100 million installs, and RITS is sitting at over a million. So, altogether, nothing to sneeze at, installation-wise. as per rapid7 data

“With the ever-growing sophistication of spear-phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” Baloch said.

First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators of forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.