The open source
DuckDuckGo Privacy Browser for Android version 5.26.0 with more than 5 million installs makes it possible for potential attackers to launch URL spoofing attacks targeting the app's users by exploiting an address bar spoofing vulnerability.
Security researcher Dhiraj Mishra found the flaw tracked as
CVE-2019-12329 and reported it to the apps' security team through their bug bounty program on the HackerOne bug bounty and vulnerability coordination platform.
The researcher states that the
proof-of-concept he devised works by spoofing DuckDuckGo Privacy Browser's omnibar with the help of a specially crafted JavaScript page which makes use of the
setInterval function to reload an URL every 10 to 50 ms.
While the real duckduckgo.com website is automatically loaded every 50 ms, the inner HTML is modified to display entirely different content as explained in Mishra's
blog post.
... ...