DuckDuckGo Android Browser Vulnerable to URL Spoofing Attacks

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Forum Veteran
Feb 4, 2016
2,516
15,625
3,578
53
Germany / Poland
Content source
https://www.bleepingcomputer.com/news/security/duckduckgo-android-browser-vulnerable-to-url-spoofing-attacks/
The open source DuckDuckGo Privacy Browser for Android version 5.26.0 with more than 5 million installs makes it possible for potential attackers to launch URL spoofing attacks targeting the app's users by exploiting an address bar spoofing vulnerability.

Security researcher Dhiraj Mishra found the flaw tracked as CVE-2019-12329 and reported it to the apps' security team through their bug bounty program on the HackerOne bug bounty and vulnerability coordination platform.

The researcher states that the proof-of-concept he devised works by spoofing DuckDuckGo Privacy Browser's omnibar with the help of a specially crafted JavaScript page which makes use of the setInterval function to reload an URL every 10 to 50 ms.

While the real duckduckgo.com website is automatically loaded every 50 ms, the inner HTML is modified to display entirely different content as explained in Mishra's blog post.
... ...
Click to expand...
 
  • Like
  • +Reputation
Reactions: SpratAttack, CyberTech, upnorth and 1 other person
Timeline:
This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says "team doesn't view it as a serious issue" and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.
Click to expand...
I believe this is why you should stick to main browsers like Chrome, Edge and Firefox.
They take security more serious.
 
  • Like
Reactions: upnorth, harlan4096, Nightwalker and 3 others
Gandalf_The_Grey said:
I believe this is why you should stick to main browsers like Chrome, Edge and Firefox.
They take security more serious.
Click to expand...

I would agree, though I think it’s also a function of budget and man power to meet today’s strenuous security needs, not just lax attitudes. The threat landscape is daunting today.
 
  • Like
  • +Reputation
Reactions: Gandalf_The_Grey, upnorth and Nightwalker
You must log in or register to reply here.

You may also like...