Xiaomi has trouble permanently patching its browsers against a vulnerability that enables spoofing URLs in a way that is difficult to detect by users.
The flaw affects the international versions of Mint Browser and Mi, the web browser that comes pre-installed on Xiaomi smartphones. It was patched and re-patched, and yet it still persists in the two products that are present on millions of devices.
The company
sold 118.7 million smartphones last year. Mint Browser has over 500,000 installs on Google Play.
Cybercriminals leveraging this issue can create more credible phishing attacks with little interaction from the victim. All it takes is to lure them to follow a malicious link.
Patch, bypass, repeat
Security researcher Arif Khan on Friday disclosed that the flaw (CVE-2019-10875) works with both HTTP and HTTPS websites and it could be used to show any domain name in the address bar.
"When you try to open a link with a query portion with that URL, Xiaomi's browsers try to display it as search engines would display it in the search bar," the researcher
explains.
...
.....