Are you where you think you are, or are you where I want you to think you are?
The infosec outfit, along with its “longtime mobile hacker friend Rafay Baloch,” discovered the software could be tricked into displaying the URL of one website while loading and displaying content from another. Such trickery is useful to, among others, thieves and fraudsters who might want to replace a bank’s online login page with one designed to harvest unwitting users’ login details.
“Because we have very few ways to actually validate the source of data on our phones, the address bar is pretty much the only bit of screen real estate that developers (angelic and devilish alike) are prohibited from monkeying with,” wrote Rapid7’s Tod Beardsley in a blog post.
He went on to explain: “By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”
Over on his own website, Baloch (no stranger to researching address bar spoofing attacks) published proof-of-concept code for exploiting Yandex Browser, Safari and Opera.
“It’s is pertinent to mention here that several mobile browsers with huge user-base do not even have a dedicated email for reporting security vulnerabilities, which discourages security researchers from reporting security vulnerabilities," he said. "Google Chrome and Firefox have a bug bounty program in which both Desktop and mobile browsers are in-scope, where as Microsoft’s bug bounty program is only limited to Desktop version.”
Thanks to this research, patches have been issued for UCWeb (CVE-2020-7363 and 7364), Opera Touch, Yandex Browser (CVE-2020-7369), Safari (CVE-2020-9987) and RITS Browser (CVE-2020-7371). Updating these applications to their latest versions should close the holes.
Opera Mini is expected to be patched on November 11. Meanwhile Bolt's Browser seems to also be affected though the maintainer could not be contacted by Rapid7.
Jake Moore, an infosec specialist with antivirus vendor Eset, told The Register end-users need not worry, provided they’ve installed patches recently.
“We tend to let our browser auto update which means we can sit back and enjoy browsing securely without having to think about extra protection. However, with some particular browsers, it may not be as straight forward," he explained. "Worryingly, the link will look genuine if long pressed. But as always, try to limit the amount of sensitive data you divulge or try to stick to one of the other browsers on offer which have clearly been quicker to patch this vulnerability.”
He concluded: “Until a patch is released, I would advise people to urge even more caution when presented with links in emails and other messages which could be suspicious.” ®