Apple, Opera, and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable – ProWellTech
Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we are mostly trained to spot the tell-tale signs of a phishing site. However, most of us rely on carefully checking the web address in the browser’s address bar to make sure the site is legitimate.
But even the browser’s anti-phishing capabilities – often the last line of defense for a potential phishing victim – are not perfect.
Security researcher Rafay Baloch has found several vulnerabilities in some of the most widely used mobile browsers – including Apple’s Safari, Opera, and Yandex – that would allow an attacker to trick the browser into displaying a different web address than the user’s actual website on. These address bar spoofing errors make it easier for attackers to make their phishing pages look like legitimate websites, and create the perfect conditions for someone trying to steal passwords.
The bugs have been fixed by exploiting a vulnerability in the time it takes a vulnerable browser to load a website. Once a victim is tricked into opening a link from a phishing email or text message, the malicious website uses the code hidden on the page to effectively replace the malicious web address in the browser address bar with another web address chosen by the attacker to replace.
In at least one case, the vulnerable browser kept the green padlock icon, indicating that the malicious website with a spoofed web address was legitimate – when it wasn’t.
A spoofing bug in the address bar in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing errors can make phishing emails look far more convincing. (Image: Rapid7 / included)
Rapid7 research director Tod Beardsley, who helped Baloch identify the vulnerabilities for each browser manufacturer, said address bar spoofing attacks put mobile users at particular risk.
“Space is absolutely tight on mobile devices, so every fraction of an inch counts. As a result, there is not much room for security signals and seals, ”Beardsley told ProWellTech. “In a desktop browser, you can either look at the link you’re on, hover over a link to see where you’re going, or even click the lock to get certificate details. These additional sources don’t actually exist on mobile devices, so the location bar not only tells the user what site they are on, but is also designed to clearly and confidently tell the user. When it’s your turn palpay.com instead of the expected paypal.comYou might notice this and know you are on a fake website before entering your password. “
“Spoofing attacks like this make the location bar ambiguous and allow an attacker to give credibility and trustworthiness to their spoofed site,” he said.
Baloch and Beardsley said browser makers had responded with mixed results.
So far, only Apple and Yandex have released corrections in September and October. Opera spokeswoman Julia Szyndzielorz said the fixes for the Opera Touch and Opera Mini browsers are “being introduced gradually”.
The manufacturers of UC Browser, Bolt Browser and RITS Browser, which together have more than 600 million device installations, did not respond to the researchers and left the security holes unpatched.
ProWellTech has reached out to every browser manufacturer, but as of the time of publication, none have made a statement.
