DuckDuckGo Android Browser Vulnerable to URL Spoofing Attacks

LASER_oneXM · May 28, 2019

The open source DuckDuckGo Privacy Browser for Android version 5.26.0 with more than 5 million installs makes it possible for potential attackers to launch URL spoofing attacks targeting the app's users by exploiting an address bar spoofing vulnerability.

Security researcher Dhiraj Mishra found the flaw tracked as CVE-2019-12329 and reported it to the apps' security team through their bug bounty program on the HackerOne bug bounty and vulnerability coordination platform.

The researcher states that the proof-of-concept he devised works by spoofing DuckDuckGo Privacy Browser's omnibar with the help of a specially crafted JavaScript page which makes use of the setInterval function to reload an URL every 10 to 50 ms.

While the real duckduckgo.com website is automatically loaded every 50 ms, the inner HTML is modified to display entirely different content as explained in Mishra's blog post.
... ...

Gandalf_The_Grey · May 28, 2019

Timeline:
This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says "team doesn't view it as a serious issue" and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.

I believe this is why you should stick to main browsers like Chrome, Edge and Firefox.
They take security more serious.

blackice · May 28, 2019

Gandalf_The_Grey said:
I believe this is why you should stick to main browsers like Chrome, Edge and Firefox.
They take security more serious.

I would agree, though I think it’s also a function of budget and man power to meet today’s strenuous security needs, not just lax attitudes. The threat landscape is daunting today.