Vulnerabilities have been found in multiple mobile browsers that allow hackers to spoof the URL of websites in the address bar.

Detailed today by researcher Tod Beardsley at Rapid7 Inc., the address bar spoofing vulnerabilities were found in Apple Inc.’s Safari, Opera Touch/Mini, Yandex, Bolt Browser, RITS Browser and UC Browser. Although most of those are not widely known, Safari is the default browser in iOS and iPadOS, while the Opera browsers are popular on some low-end phones.

Exploiting the vulnerabilities, an attacker can present a fake URL in the address bar for a given webpage, fooling users into believing that they may be on a legitimate site when they are on a fake phishing or similar scam website.

Address spoofing isn’t new and it’s not limited to mobile browsers, but part of the issue lies with how mobile browsers present addresses. In a desktop browser, there are security features and signs to verify if the address is legitimate, but mobile browsers don’t have them.

“Essentially, if your browser tells you that a pop up notification or a page is ‘from’ your bank, your healthcare provider or some other critical service you depend on, you really should have some mechanism of validating that source,” Beardsley explained. “In mobile browsers, that source begins and ends with the URL as shown in the address bar. The fact of the matter is, we really don’t have much else to rely on.”

Exploiting the vulnerability to spoof an address comes down to what Beardsley describes as “Javascript shenanigans.” A malicious website using Javascript would insert the code at the top of the page that can exploit the vulnerabilities and hence present a fake URL in the address bar.

Rapid7 reached out to the companies behind the various browsers when they first discovered the issue in the northern summer. Both Apple and Opera responded promptly and have since patched the vulnerabilities in newer releases. Yandex, which is popular in Russia has also since addressed the vulnerability while RITS indicated that they were intending to fix the issue. UC and Bolt failed to respond.

“URL spoofing is one of the most common ways attackers trick people into clicking a phishing link — especially on mobile devices,” Hank Schless, senior manager, security solutions at mobile security firm Lookout Inc., told SiliconANGLE. “We’re all used to tapping on links that are sent to our mobile devices.”

Schless said people get countless delivery notifications when they buy something online and often quickly tap the link to check the tracking info. “Because the screen is smaller, it’s really hard to identify a spoofed URL with discrete changes,” he said. “For example, an attacker may add an accent or special character to one letter in the address that a user wouldn’t even notice. Mobile phishing is the fastest-growing problem for IT and security teams for this exact reason.”

Photo: Pxhere