The popular UC Browser and UC Browser Mini Apps for Android are vulnerable to address spoofing attacks. The current status of the vulnerability discovered by security researcher Arif Khan is unpatched, and it doesn’t have a CVE assigned yet.
More about the UC Browser Vulnerability
Khan discovered “an URL Address Bar spoofing vulnerability in the latest version of the UC Browser 18.104.22.1684 and UC Browser Mini 22.214.171.1242 that have over 500mn and 100mn installs each respectively, as per Playstore”.
Furthermore, the flaw enables attackers to masquerade their phishing domains as the website they are targeting. What does this mean? The blogspot.com domain can pretend to be facebook.com, Khan explained, by tricking the user to visit www.google.com.blogspot.com/?q=www.facebook.com.
More specifically, the vulnerability stems from the way the user interface of both browsers deals with a specific built-in feature that was meant to improve Google search experience for users. The security flaw could allow an attacker to take over URL strings displayed in the address bar. This could lead to a malicious website posing as a legitimate one, as described in the example with Google and BlogSpot above.
It is important to mention that the researcher came across the same issue in the Mi and Mint browsers which are pre-installed on Xiaomi smartphones:
Previously, I wrote about this issue affecting Xiaomi Mi and Mint browsers, but now UC Browsers (only latest versions) share the same behavior much to my surprise.
The researcher also mentions that some old and other versions of UC Browsers are still not vulnerable to this issue, a fact which is rather confusing. Perhaps it means that a new feature might have been added to the browser recently which is causing the vulnerability.
What did Khan do? He reported his findings to the security team of UC Browser more than a week ago but the issue remains unresolved. It appears that his report was simply ignored.
The tests indicated that upon a request from a non-existent port a race condition could be triggered in the memory process which allowed malicious code to spoof the address. This specific issue was tracked in the CVE-2018-8383 advisory.