Skip to main content

Apple, Opera and more aim to tackle address bar spoofing browser bug

(Image credit: Image Credit: Santeri Viinamäki / Wikimedia)

Several well-known and popular web browsers contain a vulnerability that makes them susceptible to phishing attacks. The bug allows threat actors to display a different address to the one that the victim is actually visiting.

The bugs were discovered by security researcher Rafay Baloch, who found vulnerabilities affecting Opera, Safari, Yandex and numerous others, largely affecting mobile devices. The security flaw is not as effective on desktop devices, where individuals can more easily view other indicators regarding a website’s legitimacy. On mobile screens, checking the address bar is the primary method of discerning whether a webpage is real or not.

The bug works by replacing the malicious web address with a reputable one of the attacker’s choosing in the time it takes for the webpage to load. In some of the examples given by Baloch, the security padlock was even displayed by the fake web address, further supporting its authenticity.

Still at risk

Some browsers have responded better than others to the discovery of this vulnerability. Apple and Yandex have already rolled out patches but many others simply did not respond to the disclosure.

“It is pertinent to mention here that several mobile browsers with huge userbases do not even have a dedicated email for reporting security vulnerabilities, which discourages security researchers from reporting security vulnerabilities,” Baloch wrote on his blog. “Google Chrome and Firefox have a bug bounty program in which both desktop and mobile browsers are in-scope, whereas Microsoft’s bug bounty program is only limited to desktop versions. Apart from this, there is a small subset of mobile browsers incentivizing security researchers and bug bounty hunters for reporting vulnerabilities.”

The browser bar vulnerability emphasizes the need for online users to remain vigilant against phishing attacks. Always question whether a link is genuine or not before clicking to avoid being taken to a malicious website and then double-check to see if anything looks suspicious once the page has loaded. 

Via TechCrunch