According to research, an address bar spoofing flaw affects several mobile browsers, including Apple Safari, Opera Touch, UCWeb, Bolt Browser, Yandex Browser, and RITS Browser. The discovery comes from Pakistani researcher Rafay Baloch and cybersecurity firm Rapid7. Note that UCWeb and Bolt are still unpatched, while Opera Mini should be fixed on November 11, 2020.
Where does the address bar spoofing flaw reside?
Rafay also says that the address bar spoofing flaw is more effective in Safari by default, as the browser doesn’t reveal the port number in the URL “unless and until focus is set via cursor.”
In other words, threat actors can arrange a malicious website and trick the victim into opening the link sent in a spoofed email or text message. This action would take the potential victim to malware or would steal their credentials.
It is also noteworthy that Safari on macOS is also vulnerable to this flaw. Fortunately, the bug was fixed in a Big Sur macOS update last week.
Baloch discovered similar spoofing flaw in 2018
The tests indicated that upon a non-existent port request, a race condition was triggered in the memory process allowing malicious code to spoof the address. Following the report, a security advisory was assigned, and the two companies were notified. The issue was tracked in CVE-2018-8383 advisory.