Categories: NewsTechnology

Pakistani ethical hacker, Rafay Baloch, receives a $5,000 bounty for exposing Chrome, Firefox address bar flaw

Pakistani ethical hacker, Rafay Baloch, has exposed a vulnerability in Chrome and Firefox which essentially says that the way these browsers render website addresses could expose users to malicious websites that otherwise appear to be legitimate.

On Tuesday, Rafay Baloch published a blog on his website where he explained the address-bar spoofing bug. The bug could allow a hacker to trick the user by displaying a spoofed page for an invalid URL.

“Google security team themselves state that ‘We recognize that the address bar is the only reliable security indicator in modern browsers’ and if the only reliable security indicator could be controlled by an attacker it could carry adverse effects. For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is a legitimate website as the address bar points to the correct website. ”

This has earned him a $5000 bug bounty.

This address bar spoofing flaw works because several languages like Arabic and Hebrew are written from right to left. Due to mishandling of several Unicode characters and how they are rendered with a first strong character, let’s say, an IP address or an alphabet could lead to a spoofed URL. Rafay spotted this bug by placing neutral characters such as “/”, “ا” in the file path which, according to him, causes the URL to be flipped.

For example, 127.0.0.1/ا/http://example.com would instead appear in the browser bar as http://example.com/‭ا/127.0.0.1. This means that a person clicking on the link would assume to be going to example.com but the site would actually display data from 127.0.0.1. You can read about it in detail here.

According to Rafay, this vulnerability exists in some other browsers as well who are currently undergoing a fix which is why he refrained from mentioning them. However, Chrome and Firefox appear to have fixed the bug on his timely discovery and indication.

Rafay Baloch is a pretty accomplished penetration tester. Finding a bug with PayPal back in 2012, he managed to get a USD 10,000 bounty. In 2014, his work on a bug in Android got featured with Forbes and BBC. He also got featured on our 25 UNDER 25.

Editing by Muneeb Ahmad

Image — Hackread

Sponsored
Maryam Dodhy

I love bringing to light stories of extraordinary people working in Pakistan's tech and startup industry. You can reach out to me through maryamdodhy@techjuice.pk.

Share
Published by
Maryam Dodhy

Recent Posts

Weekend Brings Positive Change in Lahore’s Air Quality Index

LAHORE: Lahore's air pollution levels showed significant improvement over the weekend, with the overall Air…

10 hours ago

PTA Streamlines VPN Registration for Freelancers

ISLAMABAD: The Pakistan Telecommunication Authority (PTA) has streamlined the procedure of registering Virtual Private Networks…

10 hours ago

Report Predicts PSX Will Hit 127,000 by December 2025

The Pakistan Stock Market (PSX), fuelled by economic stability and budgetary consolidation, is expected to…

10 hours ago

Lahore Completes Preparations for Artificial Rain Project

The Punjab government is advancing plans to generate artificial rain in Lahore to further enhance…

12 hours ago

Indus Motor Company Suspends Toyota Car Production

Indus Motor Company (IMC), which makes Toyota cars in Pakistan, has said that production will…

12 hours ago

Azerbaijan Shows Interest in J-10Cs After Acquiring JF-17s from Pakistan

At the 2024 Zhuhai Air Show, the J-10C "Vigorous Dragon" fighter jet has emerged as…

12 hours ago