Many Mobile Browsers Vulnerable to Address Bar Spoofing
Security analysts from Rapid7 and independent cybersecurity expert Rafay Baloch have discovered that seven popular mobile browsers allow malicious websites to alter the URL and display a fake address in the address bar.
Essentially, the problem of address bar spoofing has existed as long as the internet itself. While modern desktop browsers have numerous security mechanisms that make it easy to detect a fake URL, mobile versions of browsers often lack these protections. The main reason is the limited screen size on mobile devices, which has forced developers to compromise on some security measures.
As mentioned above, the researchers found that the following seven mobile browsers are vulnerable to this type of spoofing:
- Apple Safari
- Opera Touch
- Opera Mini
- Bolt
- RITS
- UC Browser
- Yandex Browser
The researchers explain that exploiting these bugs usually involves various JavaScript manipulations. For example, by working with the time between when a page loads and when the browser is able to update the URL in the address bar, a malicious site can force the browser to display an incorrect address. Most often, this will be the URL of a legitimate site that attackers are trying to impersonate. A detailed description of all the discovered bugs can be found on Baloch’s blog.
The vulnerabilities were identified in the summer of this year, and the researchers notified the developers about the issues in August. As shown in the table below, major vendors fixed the vulnerabilities quite quickly, while smaller ones did not even respond to the experts, let alone release patches.
Experts strongly recommend that users update their browsers. If patches are not yet available, it is advised to use other, more secure applications.