Popular mobile browsers are vulnerable to bar spoofing attacks

Cybersecurity researchers on Tuesday revealed details of a security vulnerability affecting multiple security browsers including Apple Safari and Opera Touch, which leaves the door open to spear phishing attacks and malware delivery.

Other browsers affected are UCWeb, Yandex Browser, Bolt Browser, and RITS Browser.

The deficiencies were discovered by Pakistani security researcher Rafay Baloch in the summer of 2020 and jointly reported by Baluch and cybersecurity company Rapid7 in August, before being fixed by browser manufacturers in recent weeks.

UCWeb and Bolt Browser are not yet patched, while Opera Mini is expected to receive a fix on November 11, 2020.

The problem arises from the use of malicious JavaScript executable code on any website to force the browser to refresh the address bar while the page is still loading to a different address from the attacker.

“The vulnerability occurs because Safari persists the address bar of the URL when requested on any port. The function to set the interval reloads bing.com:8080 every 2 milliseconds and therefore the user cannot see the redirect from the original URL to the spoofed URL. “Said Rafay Baloch in technical analysis.

“What makes this vulnerability more effective in Safari by default is not showing the port number in the URL until the focus is placed over the cursor.”

Expressed differently; An attacker could host a malicious website and trick the target into opening the link from a spoofed email or text message. This could allow an unsuspecting recipient to download malware or risk their credentials being stolen.

The investigation also found that the macOS version of Safari is prone to the same bug, which Rapid7 says was fixed in a Big Sur macOS update released last week.

This is not the first time such a vulnerability has been discovered in Safari. Back in 2018, Baloch had reported a similar bug in address bar spoofing, which resulted in the browser retaining the address bar and loading the content from the fake page via a time delay caused by JavaScript.

“As spear phishing attacks become more complex, exploiting browser-based vulnerabilities such as spoofing in the address bar can exacerbate the success of spear phishing attacks and therefore prove very deadly,” said Baloch.

“First and foremost, it is easy to convince the victim to steal credentials or distribute malware if the address bar points to a trusted website and does not contain spoofing indicators. Second, by exploiting a specific function in a browser, the vulnerability can evade multiple anti-functionality phishing schemes and solutions. ”