Technology

Pakistani white-hat hacker finds vulnerabilities in multiple mobile browsers

Renowned Pakistani white-hat hacker and information security researcher, Rafay Baloch, has found vulnerabilities in multiple browsers.

Rafay has published a detailed paper on his website about the vulnerabilities and the browsers that are currently affected by them. Currently, most of us trust a website if the URL at the top looks okay. According to the demonstration made by Rafay, this can be exploited by a technique called address bar spoofing.

This works by showing the same URL as a site you trust while you are on a different site altogether. Say you want to go to bing.com so you click on a link to take you to Bing. You look at the top and it says bing.com but it won’t be Bing.

He has done this by using the following code (if you don’t understand code, you can just skip to the output image):

<p class="test"><input class="btn btn-success btn-lg" type="button" value="Run test case"
>
window.open(&quot;https://www.bing.com&quot;, &quot;WIN&quot;);
win.window.stop();
win.document.write('This is not Facebook');
win.document.close();
" /></p>

The above output is from Opera Touch in iOS which is a very famous mobile browser. Similarly, the code was tested in multiple browsers on different operating systems. This was disclosed by the hacker as early as September to browser companies. Only Apple and Opera have responded to this according to Rafay Baloch.

The affected browsers are listed below:

CVE Vendor Browser Version Platform Fixed?
CVE-2020-7363 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE-2020-7364 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE TBD-Opera Opera Opera Mini 51.0.2254 Android Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE-2020-7369 Yandex Yandex Browser 20.8 Android Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370 Danyil Vasilenko Bolt Browser 1.4 iOS Support email bounced, alerted Apple product security
CVE-2020-7371 Raise IT Solutions RITS Browser 3.3.9 Android Fix expected Oct. 19, 2020
CVE-2020-9987 Apple Apple iOS 13.6 iOS Fix released Sept. 16, 2020

 

Since COVID started, multiple browsers were found to be vulnerable to phishing attacks as well. This is worrying as a vendor like UCWeb has not even responded to the disclosure. UC browser is used by more than 500 million users.

Image Source: Computerworld

Sponsored
Talha Ikram

Share
Published by
Talha Ikram

Recent Posts

Garena Free Fire India Launch Rumors: What Fans Need to Know

Reports suggest that Garena Free Fire is set to make a much-anticipated return to India.…

13 hours ago

Albania Bans TikTok for One Year: Here’s the Reason!

The Albanian government has announced a ban on the social media platform TikTok for a…

17 hours ago

Google Pixel 9 Pro vs. 8 Pro: Biggest Upgrades Compared

The launch of Google’s latest Pixel lineup brings an exciting chance to compare the new…

19 hours ago

Azad Kashmir to Host Pakistan’s First Women-Centric Software Technology Park

ISLAMABAD: In February next year, Pakistan is set to launch its first women-focused software technology…

20 hours ago

HEC Reveals Law Admission Test Date for LLB Students

The Law Admission Test (LAT) has been announced by the Higher Education Commission (HEC) of…

20 hours ago

Meta’s WhatsApp to Release New Playback Speed Feature for Videos

Meta's WhatsApp is rolling out a new playback speed feature, allowing users to adjust video…

1 day ago