Renowned Pakistani white-hat hacker and information security researcher, Rafay Baloch, has found vulnerabilities in multiple browsers.
Rafay has published a detailed paper on his website about the vulnerabilities and the browsers that are currently affected by them. Currently, most of us trust a website if the URL at the top looks okay. According to the demonstration made by Rafay, this can be exploited by a technique called address bar spoofing.
This works by showing the same URL as a site you trust while you are on a different site altogether. Say you want to go to bing.com so you click on a link to take you to Bing. You look at the top and it says bing.com but it won’t be Bing.
He has done this by using the following code (if you don’t understand code, you can just skip to the output image):
<p class="test"><input class="btn btn-success btn-lg" type="button" value="Run test case"
>
window.open("https://www.bing.com", "WIN");
win.window.stop();
win.document.write('This is not Facebook');
win.document.close();
" /></p>
The above output is from Opera Touch in iOS which is a very famous mobile browser. Similarly, the code was tested in multiple browsers on different operating systems. This was disclosed by the hacker as early as September to browser companies. Only Apple and Opera have responded to this according to Rafay Baloch.
The affected browsers are listed below:
| CVE | Vendor | Browser | Version | Platform | Fixed? |
| CVE-2020-7363 | UCWeb | UC Browser | 13.0.8 | Android | No reply from vendor |
| CVE-2020-7364 | UCWeb | UC Browser | 13.0.8 | Android | No reply from vendor |
| CVE TBD-Opera | Opera | Opera Mini | 51.0.2254 | Android | Fix expected from vendor Nov. 11, 2020 |
| CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fix expected from vendor Nov. 11, 2020 |
| CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fix expected from vendor Nov. 11, 2020 |
| CVE TBD-Opera | Opera | Opera Touch | 2.4.4 | iOS | Fix expected from vendor Nov. 11, 2020 |
| CVE-2020-7369 | Yandex | Yandex Browser | 20.8 | Android | Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4. |
| CVE-2020-7370 | Danyil Vasilenko | Bolt Browser | 1.4 | iOS | Support email bounced, alerted Apple product security |
| CVE-2020-7371 | Raise IT Solutions | RITS Browser | 3.3.9 | Android | Fix expected Oct. 19, 2020 |
| CVE-2020-9987 | Apple | Apple | iOS 13.6 | iOS | Fix released Sept. 16, 2020 |
Since COVID started, multiple browsers were found to be vulnerable to phishing attacks as well. This is worrying as a vendor like UCWeb has not even responded to the disclosure. UC browser is used by more than 500 million users.
Image Source: Computerworld
Apple is reportedly preparing for a significant design overhaul with its iPhone 17 series, blending…
Karachi: A private school in Karachi has unveiled Pakistan’s first AI-powered teacher, a groundbreaking move…
Third-party apps have long been a staple of the Android ecosystem, but their appeal has…
ISLAMABAD: The Competition Commission of Pakistan (CCP) has completed its Phase-II review of Pakistan Telecommunication…
Xiaomi has shattered records by producing 100,000 vehicles in just 230 days. This is nearly…
OpenAI, in collaboration with nonprofit organization Common Sense Media, announced on Wednesday the launch of…
