Chrome, Firefox and likely other major browsers are afflicted by a vulnerability that allows attackers to spoof URLs in the address bar. While Mozilla said it has patched the flaw in the affected Android version of the Firefox browser, Google said Chrome will be fixed in an upcoming September release.
Some details about the flaw were disclosed yesterday by researcher Rafay Baloch, who presented a paper on the broader topic of address bar spoofing in March at Black Hat Asia in Singapore. Baloch said in a post to his personal website that the current issue lies in the fact that Chrome and Firefox for Android mishandle the rendering of Unicode characters such as “|” from Arabic and Hebrew. Those are generally displayed right to left, and when combined with an IP address that contains a mishandled character, the browser will flip the URL address to right to left. As Baloch explains, the logical order of characters would be “127.0.0.1/|/http://example.com/, but that would get flipped in the address bar to display “http://example.com/|/127.0.0.1.” “The IP address part can be easily [hidden] especially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic,” Baloch wrote. “In order to make the attack more realistic, a unicode version of padlock can be used in order to demonstrate the presence of SSL.” The vulnerability (CVE-2016-5267) behaved differently in Firefox for Android, Baloch said, in that it did not require an IP address to trigger it. Instead, Arabic right-to-left characters would produce the same result. “Mozilla was informed of the issue which affects Firefox for Android. This did not affect desktop versions of Firefox,” said Mozilla principal security engineer Dan Veditz. “Mozilla has fixed the issue in the current version of Firefox for Android (patched Aug. 2). Users should always make sure to update to the latest version of Firefox for the most-recent security updates and features.” Mozilla confirmed it paid Baloch a $1,000 reward for his disclosure. Since the user would see the intended destination site first in the address bar, which is known as Omnibox in Chrome, it’s unlikely they would be suspicious, Baloch said. “[A] variation of similar vulnerability has also been discovered in several other browsers that are still undergoing a fix there,” Baloch wrote. “I am refraining from disclosing them. Details will be disclosed, once a fix has been landed.” Baloch’s Black Hat Asia talk, meanwhile, focused on mobile browsers, Android in particular, and he presented attacks that bypassed security policies such as the Same Origin Policy, in addition to address bar and content spoofing vulnerabilities, among others.