CVE-2019-12329 is an address bar spoofing vulnerability in the DuckDuckGo browser for Android version 5.26.0. The browser has more than 5 million installations, and its users are exposed to URL spoofing attacks.
The vulnerability was discovered by security researcher Dhiraj Mishra who reported it to DuckDuckGo’s security team via their bug bounty program hosted on HackerOne.
How Does CVE-2019-12329 Work?
The vulnerability can be exploited in URL spoofing attacks where the URL displayed in the address bar is changed to trick users into believing the website they’re visiting is legitimate and not controller by attackers.
The truth is that the website is in fact hacker-controlled. A similar vulnerability was discovered earlier in May in UC Browser for Android. Security researcher Arif Khan discovered “an URL Address Bar spoofing vulnerability in the latest version of the UC Browser 126.96.36.1994 and UC Browser Mini 188.8.131.522 that have over 500mn and 100mn installs each respectively, as per Playstore”.
The UC browser vulnerability alsoenables attackers to masquerade their phishing domains as the website they are targeting, thus appearing trustworthy to users. How does this work? The blogspot.com domain can pretend to be facebook.com, Khan explained, by tricking the user to visit www.google.com.blogspot.com/?q=www.facebook.com.
More about DuckDuckGo
DuckDuckGo is an Internet privacy company that empowers users to seamlessly take control of their personal information online, without any tradeoffs. Advertised as “the search engine that doesn’t track you”, the company has started a bug bounty program hosted on the HackerOne platform. It should be noted that the company doesn’t offer monetary compensation for bug reports:
We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.
It is curious to note the DuckDuckGo vulnerability was also submitted to HackerOne on October 31 2018. At first, the issue was marked as high in severity, and as shared by the researcher in a conversation with BleepingComputer, the discussion went till May 27 this year. That’s when the company’s security team concluded that the vulnerability is not a serious issue, and marked it as informative. The researcher was rewarded a swag.