Mobile browser vulnerabilities allow hackers to spoof website addresses
Vulnerabilities have been found in multiple mobile browsers that allow hackers to spoof the URL of websites in the address bar.
Detailed today by researcher Tod Beardsley at Rapid7 Inc., the address bar spoofing vulnerabilities were found in Apple Inc.’s Safari, Opera Touch/Mini, Yandex, Bolt Browser, RITS Browser and UC Browser. Although most of those are not widely known, Safari is the default browser in iOS and iPadOS, while the Opera browsers are popular on some low-end phones.
Exploiting the vulnerabilities, an attacker can present a fake URL in the address bar for a given webpage, fooling users into believing that they may be on a legitimate site when they are on a fake phishing or similar scam website.
Address spoofing isn’t new and it’s not limited to mobile browsers, but part of the issue lies with how mobile browsers present addresses. In a desktop browser, there are security features and signs to verify if the address is legitimate, but mobile browsers don’t have them.
“Essentially, if your browser tells you that a pop up notification or a page is ‘from’ your bank, your healthcare provider or some other critical service you depend on, you really should have some mechanism of validating that source,” Beardsley explained. “In mobile browsers, that source begins and ends with the URL as shown in the address bar. The fact of the matter is, we really don’t have much else to rely on.”
Rapid7 reached out to the companies behind the various browsers when they first discovered the issue in the northern summer. Both Apple and Opera responded promptly and have since patched the vulnerabilities in newer releases. Yandex, which is popular in Russia has also since addressed the vulnerability while RITS indicated that they were intending to fix the issue. UC and Bolt failed to respond.
“URL spoofing is one of the most common ways attackers trick people into clicking a phishing link — especially on mobile devices,” Hank Schless, senior manager, security solutions at mobile security firm Lookout Inc., told SiliconANGLE. “We’re all used to tapping on links that are sent to our mobile devices.”
Schless said people get countless delivery notifications when they buy something online and often quickly tap the link to check the tracking info. “Because the screen is smaller, it’s really hard to identify a spoofed URL with discrete changes,” he said. “For example, an attacker may add an accent or special character to one letter in the address that a user wouldn’t even notice. Mobile phishing is the fastest-growing problem for IT and security teams for this exact reason.”
Since you’re here …
Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!
Support our mission: >>>>>> SUBSCRIBE NOW >>>>>> to our YouTube channel.
… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.