Graphic for illustration

Cybersecurity researchers on Tuesday disclosed details about an address bar spoofing vulnerability affecting multiple mobile browsers, such as Apple Safari and Opera Touch, leaving the door open for spear-phishing attacks and delivering malware.

Other impacted browsers include UCWeb, Yandex Browser, Bolt Browser, and RITS Browser.

The flaws were discovered by Pakistani security researcher Rafay Baloch in the summer of 2020 and jointly reported by Baloch and cybersecurity firm Rapid7 in August before they were addressed by the browser makers over the past few weeks.

UCWeb and Bolt Browser remain unpatched as yet, while Opera Mini is expected to receive a fix on November 11, 2020.

The issue stems from using malicious executable JavaScript code in an arbitrary website to force the browser to update the address bar while the page is still loading to another address of the attacker’s choice.

Original PoC demo

“The vulnerability occurs due to Safari preserving address bar of the URL when requested over an arbitrary port, the set interval function reloads bing.com:8080 every 2 milliseconds and hence user is unable to recognize the redirection from the original URL to spoofed URL,” Rafay Baloch said in technical analysis.

“What makes this vulnerability more effective in Safari by default does not reveal port number in URL unless and until focus is set via cursor.”

Put differently; an attacker can set up a malicious website and lure the target into opening the link from a spoofed email or text message, thereby leading an unsuspecting recipient into downloading malware or risk getting their credentials stolen.

The research also found the macOS version of Safari to be vulnerable to the same bug, which according to Rapid7 has been addressed in a Big Sur macOS update released last week.

This is not the first time such vulnerability has been spotted in Safari. Back in 2018, Baloch disclosed a similar kind of address bar spoofing flaw that caused the browser to preserve the address bar and to load the content from the spoofed page through a JavaScript-induced timing delay.

“With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear-phishing attacks and hence prove to be very lethal,” Baloch said.

“First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”