Many mobile browsers are vulnerable to address bar spoofing

[Brother]

Rapid7 analysts and independent information security expert Rafay Baloch found that seven popular mobile browsers allow malicious sites to change the URL and display a spoofed address in the address bar.

Basically, the problem of address bar spoofing has been around for as long as the Internet itself. And while modern desktop browsers have many security mechanisms that make it easy to detect a fake URL, mobile browsers cannot. The fact is that on mobile devices, screen size matters a lot, and therefore many security measures had to be neglected here.

As mentioned above, the researchers found that seven mobile browsers are vulnerable to such spoofing. These are Apple Safari, Opera Touch and Opera Mini, Bolt, RITS, UC Browser, and Yandex Browser.

The researchers explain that usually the exploitation of such bugs comes down to various manipulations with JavaScript. For example, by dealing with the time that elapses between the page load and the moment the browser is able to update the URL in the address bar, a malicious site can force the browser to display the wrong address. Most often, this will be the URL of a certain legitimate site, for which the scammers are trying to pass off their resource. A detailed description of all the bugs found can be found on Baloch's blog.

The vulnerabilities were identified this summer, and the researchers notified the developers of the problems in August. As you can see in the table below, large vendors eliminated vulnerabilities very quickly, while small ones did not even bother to respond to specialists, let alone release patches.

Experts strongly recommend that users update their browsers, and if patches are still missing, use other, more secure applications.