Below is a press release on the web browser address bar vulnerability disclosed by Cyber Citadel Security Lead and Rapid7 Director of Research Tod Beardsley. By Cyber Citadel
Cyber Citadel Lead Security Researcher Rafay Baloch together with Rapid7 Director of Research Tod Beardsley disclosed address bar spoofing vulnerabilities today in seven mobile web browsing applications. The flaws put hundreds of millions of users at risk of falling victim to malware-riddled websites and spear-phishing campaigns.
The vulnerabilities were found on well-known mobile web browsers Apple Safari and Opera Touch, to more niche browsers such as Yandex, Bolt, UC Browser and RITS.
Address bar spoofing allows an attacker to change the URL of a malicious website from the original to one that represents a legitimate website i.e. google.com, bing.com, facebook.com, or apple.com, for example.
On desktop devices, address bars come with various features that alert users when accessing a potentially insecure website. Usually, these features are represented as a lock in the far-left-hand side of an address bar. By clicking on the lock, users can view a website’s valid SSL certificate.
However, security indicators on mobile devices are harder to find given the lack of screen real estate and restrict the ability to interrogate security elements. With typical users being unaware of website validation on mobile web browsers, cybercriminals are free to insert fake malicious pages with spoofed URL addresses.
In Baloch’s proof of concept report, he makes clear that web browsing applications like Google categorically state that the address bar is the only reliable security indicator in modern browsers. With address bars now open to the kind of spoofing proven by Baloch, mobile web browsing security features will have to be considered in more detail.
Address bar spoofing traditionally scores as a medium risk of around 4.3 out of 10 on the Common Vulnerability Scoring System (CVSS). However, with the 667% increase in spear-phishing attacks during the Covid-19 pandemic, Baloch believes that this vulnerability should be considered high risk and prioritised by application vendors.
After Baloch found the vulnerability earlier this year, Rapid7’s Tod Beardsley contacted the relevant vendors on 10 August 2020. Beardsley then coordinated making the responsible disclosure public, publishing it on the Rapid7 website.
Baloch’s report showed that by using code written in JavaScript he was able to manipulate webpage loading time and interdict page refreshes with pop-ups appearing to come from an arbitrary website, or render content in the browser window that falsely appeared to come from an arbitrary website. As set interval functions reload webpages every two milliseconds, users would be unable to recognise the redirection from the original URL to spoofed URL.
These fraudulent pop-up notifications or false page contents could imitate legitimate organisations such as banks, healthcare providers, or other critical services.
In certain mobile web browsing applications like Safari, the vulnerability is more effective as URLs do not reveal the port number by default, and only when focus is set via the cursor.
“Imagine a scenario where you are browsing any domain of your choice, and the address bar says its Google.com, or WHO.org, but the content is being controlled by an attacker,” said Baloch while describing the vulnerability. “There is absolutely no way for a common user to know whether the domain is legitimate or not. This is what an address bar spoofing vulnerability exploits in a browser.”
Since the CVEs were disclosed to the respective web browsing software developers, replies regarding remediation have been varied. As expected, Apple and Opera responded promptly with tickets logging the initial query in August, and establishing fixes or expected fixes to the vulnerability.
However, the more obscure web browsers have did not address the bug; some even failing to acknowledge the query entirely. Although less popular than Apple and Opera, some of those that failed to communicate have user bases that cannot be ignored in terms of size and scope.
UC Browser, largely used on Android devices in China, India and Indonesia, currently logs over 500 million users on Google Play. Although Yandex, Bolt and RITS have significantly lower user figures, they are used specifically in certain countries, or for reasons of data security. Baloch noted in his report that some of the smaller vendors did not even offer dedicated email addresses for reporting security vulnerabilities.
Users of the effected web browsers are recommended to note the software listed and the steps developers have taken to fix the vulnerabilities in the report published by Rapid7. Users should check their software version to make sure it is up-to-date. If using a version that is the same or older than those listed, users should look for a manual or automatic update immediately.
If a software update is unavailable for whatever reason, or a developer listed has not replied with an expected fix date, users should be extra vigilant of clicking through on links sent by text or email from unknown sources. If a user experiences any unwarranted pop-ups while using a vulnerable browser, the pop-ups should be ignored and the application uninstalled.
Baloch reported multiple vulnerabilities on Chrome and Firefox browsers in 2016, Google Inc’s Android browser in 2014, and was paid a total of US$10,000 for reporting a Code Execution/Command Execution vulnerability on PayPal’s sub-domain in 2012. He is considered one of the world’s top ethical hackers and listed in Google, Facebook, PayPal and Microsoft Halls of Fame.