Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile

10/22/2020
05:45 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

7 Mobile Browsers Vulnerable to Address-Bar Spoofing

Flaws allow attackers to manipulate URLs users see on their mobile devices, Rapid7 says.

Security vendor Rapid7, in collaboration with independent researcher Rafay Baloch, this week disclosed details on new vulnerabilities in seven mobile browsers — including Safari and Opera — that allow attackers to spoof information showed in the browser's address bar.

The vulnerabilities are the latest examples of a common security weakness in software where the user interface can be tricked into displaying erroneous information or to make it appear as if the information comes from a trusted source. Phishers have routinely taken advantage of the user interface misrepresentation issue to trick users into navigating to malicious sites or to fool them into thinking they are on a trusted site when, in fact, they are not.

Related Content:

As Smartphones Become a Hot Target, Can Mobile EDR Help

State of Endpoint Security: How Enterprises Are Managing Endpoint Security Threats

New on The Edge: 8 New and Hot Cybersecurity Certifications for 2020

"The issues identified by Rafay Baloch's research are all unique issues per browser, but they all fall in the general vulnerability category described by CWE-451 — 'User Interface Misrepresentation of Critical Information,'" says Tod Beardsley, director of research at Rapid7.

Such vulnerabilities allow an attacker to control both the content of a website and the apparent source of the website, which can lead to very convincing-looking but malicious web pages.  According to Beardsley, the new vulnerabilities that Baloch discovered essentially give attackers a way to display false content when a mobile browser refreshes the address bar.

"Exploitation all comes down to, 'Javascript shenanigans'," Beardsley said in a blog this week. "By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website."

In all instances, a mobile user would need to be lured to an attacker controlled website, he said.

In addition to Safari and Opera, the other impacted mobile browsers include those from Yandex, UCWeb, and Raise IT Solutions. UCWeb's UC Browser has more than 500 million downloads, while the Yandex browser has over 100 million, according to Beardsley. So far only Apple and Opera have addressed the vulnerabilities in their browsers after being notified of the problem in August.

New Spin on Old Issue
Address spoofing and other information manipulation is by no means new. But detecting the trickery on a mobile browser can be considerably harder than on a desktop browser.

Because of the relatively limited screen sizes available on most modern smartphones, browser makers have little real estate for introducing security indicators that warn users when something might be wrong. As a result, the address bar on a mobile browser is often the main way to validate the source of a web page or a particular piece of content. Most browser vendors have recognized this and have implemented controls for ensuring that what's shown on the screen is inexorably linked to where that data came from, Beardsley says.

Hank Schless, senior manager, security solutions at mobile security vendor Lookout, describes URL spoofing as one of the most common ways attackers trick people into clicking a phishing link, especially on mobile devices. As an example, he points to how quickly users are apt to click on links to check tracking information or the other notifications they might receive when they purchase something online. Because the screen is smaller, it's difficult to identify a spoofed URL that has small changes, such as an added accent or special character to one letter in the address.

Brandon Hoffman, CISO at Netenrich, says the new vulnerabilities involve an old technique that's garnering fresh interest due to limitations on mobile browsers.

"These vulnerabilities are not really all that different from other vulnerabilities users have been dealing with on their desktops," he says.

The only reason they are interesting is because attacks that exploit these issues would be easier to obfuscate on a mobile device, Hoffman adds.

"If people continue to go to the sites they like within the proper apps and using the correct URLs, then they don't need to be overly concerned," he says.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29378
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. It is possible to elevate the privilege of a CLI user (to full administrative access) by using the password [email protected]#y$z%x6x7q8c9z) for the e...
CVE-2020-29379
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D4L V1.01.49 and V1600D-MINI V1.01.48 OLT devices. During the process of updating the firmware, the update script starts a telnetd -l /bin/sh process that does not require authentication for TELNET access.
CVE-2020-29380
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. TELNET is offered by default but SSH is not always available. An attacker can intercept passwords sent in cleartext and conduct a man-in-...
CVE-2020-29381
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600D4L V1.01.49, V1600D-MINI V1.01.48, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. Command injection can occur in "upload tftp syslog" and "upload tftp configuration" in the CLI via a crafted filename...
CVE-2020-29382
PUBLISHED: 2020-11-29
An issue was discovered on V-SOL V1600D V2.03.69 and V2.03.57, V1600G1 V2.0.7 and V1.9.7, and V1600G2 V1.1.4 OLT devices. A hardcoded RSA private key (specific to V1600D, V1600G1, and V1600G2) is contained in the firmware images.