Categories: NewsTechnology

Pakistani ethical hacker, Rafay Baloch, receives a $5,000 bounty for exposing Chrome, Firefox address bar flaw

Pakistani ethical hacker, Rafay Baloch, has exposed a vulnerability in Chrome and Firefox which essentially says that the way these browsers render website addresses could expose users to malicious websites that otherwise appear to be legitimate.

On Tuesday, Rafay Baloch published a blog on his website where he explained the address-bar spoofing bug. The bug could allow a hacker to trick the user by displaying a spoofed page for an invalid URL.

“Google security team themselves state that ‘We recognize that the address bar is the only reliable security indicator in modern browsers’ and if the only reliable security indicator could be controlled by an attacker it could carry adverse effects. For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is a legitimate website as the address bar points to the correct website. ”

This has earned him a $5000 bug bounty.

This address bar spoofing flaw works because several languages like Arabic and Hebrew are written from right to left. Due to mishandling of several Unicode characters and how they are rendered with a first strong character, let’s say, an IP address or an alphabet could lead to a spoofed URL. Rafay spotted this bug by placing neutral characters such as “/”, “ا” in the file path which, according to him, causes the URL to be flipped.

For example, 127.0.0.1/ا/http://example.com would instead appear in the browser bar as http://example.com/‭ا/127.0.0.1. This means that a person clicking on the link would assume to be going to example.com but the site would actually display data from 127.0.0.1. You can read about it in detail here.

According to Rafay, this vulnerability exists in some other browsers as well who are currently undergoing a fix which is why he refrained from mentioning them. However, Chrome and Firefox appear to have fixed the bug on his timely discovery and indication.

Rafay Baloch is a pretty accomplished penetration tester. Finding a bug with PayPal back in 2012, he managed to get a USD 10,000 bounty. In 2014, his work on a bug in Android got featured with Forbes and BBC. He also got featured on our 25 UNDER 25.

Editing by Muneeb Ahmad

Image — Hackread

Sponsored
Maryam Dodhy

I love bringing to light stories of extraordinary people working in Pakistan's tech and startup industry. You can reach out to me through maryamdodhy@techjuice.pk.

Share
Published by
Maryam Dodhy

Recent Posts

FBR to Impose Strict Restrictions on Non-Filers: Ban on Vehicle, Property Purchases, and Bank Transactions

The government is set to implement stricter measures against non-filers, imposing a ban on several…

6 mins ago

Meezan Bank Refuses Data Breach, Links Unauthorized Transactions to Third-Party Platforms

Meezan Bank has addressed concerns over unauthorized debit card transactions, compensating at least ten affected…

36 mins ago

Apple’s Dynamic Island Inspires Samsung’s Latest Feature

Samsung has announced new features for their One UI 7, which is based on Android…

1 hour ago

Google to Enhance iOS Search with AI Suggestions for More Precise Results

Google is currently testing a new AI-powered feature for its iOS app aimed at enhancing…

18 hours ago

IT Minister Responds to Social Media Shutdown Concerns, Emphasizes Privacy and Security

Islamabad: During a National Assembly session on Wednesday, Minister for IT Shaza Fatima Khawaja addressed…

19 hours ago

Over 1.4 Million Websites Blocked by PTA Under PECA

ISLAMABAD: The Pakistan Telecommunications Authority (PTA) has taken decisive action against illegal online activities by…

20 hours ago