URL Address Bar Spoofing Vulnerability in UC Browser Left Unpatched

URL Address Bar Spoofing Vulnerability in UC Browser Left Unpatched

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

The popular UC Browser and UC Browser Mini Apps for Android are vulnerable to address spoofing attacks. The current status of the vulnerability discovered by security researcher Arif Khan is unpatched, and it doesn’t have a CVE assigned yet.

More about the UC Browser Vulnerability

Khan discovered “an URL Address Bar spoofing vulnerability in the latest version of the UC Browser and UC Browser Mini that have over 500mn and 100mn installs each respectively, as per Playstore”.

Furthermore, the flaw enables attackers to masquerade their phishing domains as the website they are targeting. What does this mean? The blogspot.com domain can pretend to be facebook.com, Khan explained, by tricking the user to visit www.google.com.blogspot.com/?q=www.facebook.com.

More specifically, the vulnerability stems from the way the user interface of both browsers deals with a specific built-in feature that was meant to improve Google search experience for users. The security flaw could allow an attacker to take over URL strings displayed in the address bar. This could lead to a malicious website posing as a legitimate one, as described in the example with Google and BlogSpot above.

What is UC Browser? Is UC Browser, an adware, PUP or a virus? Is it safe? See how to fully remove UC Browser PUP from your computer.
Is UC Browser an Adware?.

It is important to mention that the researcher came across the same issue in the Mi and Mint browsers which are pre-installed on Xiaomi smartphones:

Previously, I wrote about this issue affecting Xiaomi Mi and Mint browsers, but now UC Browsers (only latest versions) share the same behavior much to my surprise.

The researcher also mentions that some old and other versions of UC Browsers are still not vulnerable to this issue, a fact which is rather confusing. Perhaps it means that a new feature might have been added to the browser recently which is causing the vulnerability.

What did Khan do? He reported his findings to the security team of UC Browser more than a week ago but the issue remains unresolved. It appears that his report was simply ignored.

Other popular browsers such as Edge and Safari were also found to contain address spoofing flaws. Last year, Pakistani-based security researcher Rafay Baloch reported that both Microsoft Edge and Safari possesed an address bar spoofing vulnerability. The statement was made after he tested the browsers with proof-of-concept JavaScript code.

A serious issue has been identified in the Microsoft Edge and Safari browsers as they have been found to allow address bar spoofing. This vulnerability allows malicious code to redirect the users and lead to potential virus infections. Address Bar...Read more
CVE-2018-8383: Microsoft Edge and Safari Exploited via Address Bar Spoofing Vulnerability.

The tests indicated that upon a request from a non-existent port a race condition could be triggered in the memory process which allowed malicious code to spoof the address. This specific issue was tracked in the CVE-2018-8383 advisory.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share