Researchers at cyber-security firm, Rapid7, have claimed that several popular mobile browsers are vulnerable to ten new ‘Address Bar Spoofing’ vulnerabilities, thereby jeopardizing the privacy and digital security of their users. According to the report, the affected browsers include Safari, Opera Touch, Opera Mini, Bilt, RITS, UC Browser and Yandex Browser.
The issues were discovered earlier this year by Rapid7 researchers in association with Pakistani cyber-security analyst, Rafay Baloch, and were reported to the respective developers in August. While Apple has since released a fix for Safari, Opera says it will roll out a patch on November 11. The rest of the developers are said to have either ignored the warnings or failed to follow-up after an initial response.
While address bar spoofing has existed since the early days of the world wide web, most desktop browsers have added several layers pf protection over the years to prevent websites from hiding their true identity from visitors. However, thanks to the space constraint on mobile devices, some of the security checks for spoofing cannot be easily accommodated on mobile devices, making them many times more vulnerable to such attacks.
Explaining how address bar spoofing work, the researchers said that “Exploitation all comes down to, ‘Javascript shenanigans'”. According to Rapid7’s Research Director, Tod Beardsley, “By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website”.
You can learn more technical details about the findings on Baloch’s website or the Rapid7 blog.
