Several mobile browsers vulnerable to address bar spoofing

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
A set of address-bar spoofing vulnerabilities that affect a number of mobile browsers open the door for malware delivery, phishing and disinformation campaigns.

The bugs, reported by Rapid7 and independent researcher Rafay Baloch, affect six browsers, ranging from the common (Apple Safari, Opera Touch/Mini and Yandex), to the less common (Bolt Browser, RITS Browser and UC Browser). They allow an attacker to present a fake address for a web page – which is a problem in the mobile world, where a URL is often the only verification of legitimacy that users have before navigating to a website.

“Mobile browsers are a pretty special sort of software that end up acting as a user’s multipass for all types of critical applications in their day-to-day life,” explained Rapid7 research director Tod Beardsley, in a blog post on Tuesday. “Essentially, if your browser tells you that a pop-up notification or a page is ‘from’ your bank, your healthcare provider or some other critical service you depend on, you really should have some mechanism of validating that source. In mobile browsers, that source begins and ends with the URL as shown in the address bar. The fact of the matter is, we really don’t have much else to rely on.”
1603208238237.png
 
Last edited:

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
The scary part is that there will be no fix for UC Browser and Bolt Browser. Those two became highly unrecommended.
Full blog from Rapid7:
 
F

ForgottenSeer 85179

The scary part is that there will be no fix for UC Browser and Bolt Browser. Those two became highly unrecommended.
Full blog from Rapid7:
Yandex also doesn't care too.

Another source:
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
Yandex also doesn't care too.

Another source:
From the Rapid7 blog:
CVE-2020-7369YandexYandex Browser20.8AndroidAutomated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
The Rapid7 blog is more up to date:

Affected browsers​

So, with all that for context, here is the surprisingly diverse set of mobile browsers, shown in the table below (note that Opera and Apple are CVE Numbering Authorities in their own right, and will be populating their own CVE identifiers for those issues).

CVEVendorBrowserVersionPlatformFixed?
CVE-2020-7363UCWebUC Browser13.0.8AndroidNo reply from vendor
CVE-2020-7364UCWebUC Browser13.0.8AndroidNo reply from vendor
CVE TBD-OperaOperaOpera Mini51.0.2254AndroidFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE-2020-7369YandexYandex Browser20.8AndroidAutomated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370Danyil VasilenkoBolt Browser1.4iOSSupport email bounced, alerted Apple product security
CVE-2020-7371Raise IT SolutionsRITS Browser3.3.9AndroidFix expected Oct. 19, 2020
CVE-2020-9987AppleAppleiOS 13.6iOSFix released Sept. 16, 2020
 

bayasdev

Level 19
Verified
Top Poster
Well-known
Sep 10, 2015
901
The scary part is that there will be no fix for UC Browser and Bolt Browser. Those two became highly unrecommended.
Full blog from Rapid7:
UC Browser has always been shady for me, I remember their startpage used to have inappropriate videos
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top