Multiple Mobile Browsers Vulnerable to Address Bar Spoofing

Khush Bhatt October 22, 2020 Spoofing

As reported by Zscaler in April 2020, a significant increase (about 85%) in phishing attacks were seen, targeting remote workers. Attackers had registered domains featuring Covid-19 related keywords such as “virus”, “vaccine” etc. in order to steal credentials, disseminate malware, most notably ransomware for conducting financial frauds.

With ever-growing advanced spear-phishing attacks, vulnerabilities like Address Bar Spoofing make attacks more convincing and hard to distinguish. Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers.

affected browsers
Affected Browsers

Affected Browsers 

These Vulnerabilities were first reported by pakistani researcher Rafay Baloch and Tod Bearsley of Rapid 7 in August 2020 and now the browser companies have started releasing its patches.

Quick intro to Address Bar Spoofing 

One can create a phishing link or a html page in which vulnerable browser will execute it in such a way that an attacker can set document.location to original domain so user will see original domain name loading in the vulnerable browser and he may end up entering his email and password thinking that the site is genuine. This is how an attacker can spoof address bars.

The vulnerability occurs due to Safari preserving the address bar of the URL when requested over an arbitrary port, the set interval function reloads bing.com:8080 every 2 milliseconds and hence user is unable to recognize the redirection from the original URL to spoofed URL. What makes this vulnerability more effective in Safari by default does not reveal port number in URL unless and until focus is set via cursor.

Our team has tested this successfully in Safari Version 5.1.7

Not Bing Browser
Here you can see a bing.com domain with a phishing page.
Fake Bing Browser Code
Here you can see the output for the code
Phishing Facebook Page
This is the example in which you can see genuine domain with a phishing Facebook page.
Fake Gmail
URL Spoofing attack with more realistic visuals of Gmail.

Conclusion

Time and again it has been concluded in several breach investigation reports that Passwords are the #1 Target of hacker & Phishing is the Top most Risk for all the enterprises. The world is yet to find an effective solution for phishing/ spear-phishing attacks. 

PureAUTH passwordless suites eliminate passwords from an enterprise and so does the threat of phishing/spear-phishing. Check out how we secure our users from in-mobile-phishing attacks with our best passwordless authentication solution.

Share the post    
Previous Post
Introduction: We all know how crucial our credentials are to us, these shared secrets are basically the access to our resources present on various platforms. The whole process of authentication and authorization is pretty much always dependent on these shared secrets which can be in the format of passwords, access tokens, keys, tickets etc. Today […]
Read More...
In 2018, a vulnerability (CVE-2018-13379) allowed attackers to read FortiOS files without authentication by sending a carefully crafted HTTP request. This vulnerability only existed in the SSL VPN. It affected FortiOS version 5.6.3 to FortiOS version 6.0.4. According to CloudSEK this vulnerability has come back to haunt networks that use FortiOS and missed the memo […]
Read More...