Renowned Pakistani white-hat hacker and information security researcher, Rafay Baloch, has found vulnerabilities in multiple browsers.
Rafay has published a detailed paper on his website about the vulnerabilities and the browsers that are currently affected by them. Currently, most of us trust a website if the URL at the top looks okay. According to the demonstration made by Rafay, this can be exploited by a technique called address bar spoofing.
This works by showing the same URL as a site you trust while you are on a different site altogether. Say you want to go to bing.com so you click on a link to take you to Bing. You look at the top and it says bing.com but it won’t be Bing.
He has done this by using the following code (if you don’t understand code, you can just skip to the output image):
<p class="test"><input class="btn btn-success btn-lg" type="button" value="Run test case"
onclick="win = window.open("https://www.facebook.com:8080","WIN");
window.open("https://www.bing.com", "WIN");
win.window.stop();
win.document.write('This is not Facebook');
win.document.close();
" /></p>
The above output is from Opera Touch in iOS which is a very famous mobile browser. Similarly, the code was tested in multiple browsers on different operating systems. This was disclosed by the hacker as early as September to browser companies. Only Apple and Opera have responded to this according to Rafay Baloch.
The affected browsers are listed below:
CVE | Vendor | Browser | Version | Platform | Fixed? |
CVE-2020-7363 | UCWeb | UC Browser | 13.0.8 | Android | No reply from vendor |
CVE-2020-7364 | UCWeb | UC Browser | 13.0.8 | Android | No reply from vendor |
CVE TBD-Opera | Opera | Opera Mini | 51.0.2254 | Android | Fix expected from vendor Nov. 11, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fix expected from vendor Nov. 11, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fix expected from vendor Nov. 11, 2020 |
CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fix expected from vendor Nov. 11, 2020 |
CVE-2020-7369 | Yandex | Yandex Browser | 20.8 | Android | Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4. |
CVE-2020-7370 | Danyil Vasilenko | Bolt Browser | 1.4 | iOS | Support email bounced, alerted Apple product security |
CVE-2020-7371 | Raise IT Solutions | RITS Browser | 3.3.9 | Android | Fix expected Oct. 19, 2020 |
CVE-2020-9987 | Apple | Apple | iOS 13.6 | iOS | Fix released Sept. 16, 2020 |
Since COVID started, multiple browsers were found to be vulnerable to phishing attacks as well. This is worrying as a vendor like UCWeb has not even responded to the disclosure. UC browser is used by more than 500 million users.
Image Source: Computerworld