- Aug 17, 2014
A set of address-bar spoofing vulnerabilities that affect a number of mobile browsers open the door for malware delivery, phishing and disinformation campaigns.
The bugs, reported by Rapid7 and independent researcher Rafay Baloch, affect six browsers, ranging from the common (Apple Safari, Opera Touch/Mini and Yandex), to the less common (Bolt Browser, RITS Browser and UC Browser). They allow an attacker to present a fake address for a web page – which is a problem in the mobile world, where a URL is often the only verification of legitimacy that users have before navigating to a website.
“Mobile browsers are a pretty special sort of software that end up acting as a user’s multipass for all types of critical applications in their day-to-day life,” explained Rapid7 research director Tod Beardsley, in a blog post on Tuesday. “Essentially, if your browser tells you that a pop-up notification or a page is ‘from’ your bank, your healthcare provider or some other critical service you depend on, you really should have some mechanism of validating that source. In mobile browsers, that source begins and ends with the URL as shown in the address bar. The fact of the matter is, we really don’t have much else to rely on.”