CVE-2019-12329: URL Spoofing Bug in DuckDuckGo Android Browser
NEWS

CVE-2019-12329: URL Spoofing Bug in DuckDuckGo Android Browser

Rate this post

CVE-2019-12329 is an address bar spoofing vulnerability in the DuckDuckGo browser for Android version 5.26.0. The browser has more than 5 million installations, and its users are exposed to URL spoofing attacks.

The vulnerability was discovered by security researcher Dhiraj Mishra who reported it to DuckDuckGo’s security team via their bug bounty program hosted on HackerOne.



How Does CVE-2019-12329 Work?

According to the researcher’s proof-of-concept, the bug works by spoofing DuckDuckGo’s privacy browser’s omnibar. The exploit works with the help of a specially crafted JavaScript page which utilizes the setInterval function, needed to reload an URL every 10 to 50 ms.

The vulnerability can be exploited in URL spoofing attacks where the URL displayed in the address bar is changed to trick users into believing the website they’re visiting is legitimate and not controller by attackers.

The truth is that the website is in fact hacker-controlled. A similar vulnerability was discovered earlier in May in UC Browser for Android. Security researcher Arif Khan discovered “an URL Address Bar spoofing vulnerability in the latest version of the UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192 that have over 500mn and 100mn installs each respectively, as per Playstore”.

The UC browser vulnerability alsoenables attackers to masquerade their phishing domains as the website they are targeting, thus appearing trustworthy to users. How does this work? The blogspot.com domain can pretend to be facebook.com, Khan explained, by tricking the user to visit www.google.com.blogspot.com/?q=www.facebook.com.

Related: URL Address Bar Spoofing Vulnerability in UC Browser Left Unpatched.

More about DuckDuckGo

DuckDuckGo is an Internet privacy company that empowers users to seamlessly take control of their personal information online, without any tradeoffs. Advertised as “the search engine that doesn’t track you”, the company has started a bug bounty program hosted on the HackerOne platform. It should be noted that the company doesn’t offer monetary compensation for bug reports:

We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.

It is curious to note the DuckDuckGo vulnerability was also submitted to HackerOne on October 31 2018. At first, the issue was marked as high in severity, and as shared by the researcher in a conversation with BleepingComputer, the discussion went till May 27 this year. That’s when the company’s security team concluded that the vulnerability is not a serious issue, and marked it as informative. The researcher was rewarded a swag.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...