Several mobile browsers vulnerable to address bar spoofing

silversurfer

Level 73
Verified
Trusted
Content Creator
Malware Hunter
Aug 17, 2014
6,224
A set of address-bar spoofing vulnerabilities that affect a number of mobile browsers open the door for malware delivery, phishing and disinformation campaigns.

The bugs, reported by Rapid7 and independent researcher Rafay Baloch, affect six browsers, ranging from the common (Apple Safari, Opera Touch/Mini and Yandex), to the less common (Bolt Browser, RITS Browser and UC Browser). They allow an attacker to present a fake address for a web page – which is a problem in the mobile world, where a URL is often the only verification of legitimacy that users have before navigating to a website.

“Mobile browsers are a pretty special sort of software that end up acting as a user’s multipass for all types of critical applications in their day-to-day life,” explained Rapid7 research director Tod Beardsley, in a blog post on Tuesday. “Essentially, if your browser tells you that a pop-up notification or a page is ‘from’ your bank, your healthcare provider or some other critical service you depend on, you really should have some mechanism of validating that source. In mobile browsers, that source begins and ends with the URL as shown in the address bar. The fact of the matter is, we really don’t have much else to rely on.”
1603208238237.png
 
Last edited:

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,754
The scary part is that there will be no fix for UC Browser and Bolt Browser. Those two became highly unrecommended.
Full blog from Rapid7:
 

SecurityNightmares

Level 40
Verified
Jan 9, 2020
2,955
The scary part is that there will be no fix for UC Browser and Bolt Browser. Those two became highly unrecommended.
Full blog from Rapid7:
Yandex also doesn't care too.

Another source:
 

Gandalf_The_Grey

Level 48
Verified
Trusted
Content Creator
Apr 24, 2016
3,754
Yandex also doesn't care too.

Another source:
From the Rapid7 blog:
CVE-2020-7369YandexYandex Browser20.8AndroidAutomated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
The Rapid7 blog is more up to date:

Affected browsers​

So, with all that for context, here is the surprisingly diverse set of mobile browsers, shown in the table below (note that Opera and Apple are CVE Numbering Authorities in their own right, and will be populating their own CVE identifiers for those issues).

CVEVendorBrowserVersionPlatformFixed?
CVE-2020-7363UCWebUC Browser13.0.8AndroidNo reply from vendor
CVE-2020-7364UCWebUC Browser13.0.8AndroidNo reply from vendor
CVE TBD-OperaOperaOpera Mini51.0.2254AndroidFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE-2020-7369YandexYandex Browser20.8AndroidAutomated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370Danyil VasilenkoBolt Browser1.4iOSSupport email bounced, alerted Apple product security
CVE-2020-7371Raise IT SolutionsRITS Browser3.3.9AndroidFix expected Oct. 19, 2020
CVE-2020-9987AppleAppleiOS 13.6iOSFix released Sept. 16, 2020
 

geminis3

Level 18
Verified
Sep 10, 2015
856
The scary part is that there will be no fix for UC Browser and Bolt Browser. Those two became highly unrecommended.
Full blog from Rapid7:
UC Browser has always been shady for me, I remember their startpage used to have inappropriate videos
 
Top