Technology

Pakistani white-hat hacker finds vulnerabilities in multiple mobile browsers

Renowned Pakistani white-hat hacker and information security researcher, Rafay Baloch, has found vulnerabilities in multiple browsers.

Rafay has published a detailed paper on his website about the vulnerabilities and the browsers that are currently affected by them. Currently, most of us trust a website if the URL at the top looks okay. According to the demonstration made by Rafay, this can be exploited by a technique called address bar spoofing.

This works by showing the same URL as a site you trust while you are on a different site altogether. Say you want to go to bing.com so you click on a link to take you to Bing. You look at the top and it says bing.com but it won’t be Bing.

He has done this by using the following code (if you don’t understand code, you can just skip to the output image):

<p class="test"><input class="btn btn-success btn-lg" type="button" value="Run test case"
>
window.open(&quot;https://www.bing.com&quot;, &quot;WIN&quot;);
win.window.stop();
win.document.write('This is not Facebook');
win.document.close();
" /></p>

The above output is from Opera Touch in iOS which is a very famous mobile browser. Similarly, the code was tested in multiple browsers on different operating systems. This was disclosed by the hacker as early as September to browser companies. Only Apple and Opera have responded to this according to Rafay Baloch.

The affected browsers are listed below:

CVE Vendor Browser Version Platform Fixed?
CVE-2020-7363 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE-2020-7364 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE TBD-Opera Opera Opera Mini 51.0.2254 Android Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE-2020-7369 Yandex Yandex Browser 20.8 Android Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370 Danyil Vasilenko Bolt Browser 1.4 iOS Support email bounced, alerted Apple product security
CVE-2020-7371 Raise IT Solutions RITS Browser 3.3.9 Android Fix expected Oct. 19, 2020
CVE-2020-9987 Apple Apple iOS 13.6 iOS Fix released Sept. 16, 2020

 

Since COVID started, multiple browsers were found to be vulnerable to phishing attacks as well. This is worrying as a vendor like UCWeb has not even responded to the disclosure. UC browser is used by more than 500 million users.

Image Source: Computerworld

Sponsored
Talha Ikram

Leave a Comment
Share
Published by
Talha Ikram

Recent Posts

Microsoft Launches AI-Powered “Support Virtual Agent” for Xbox Users

Microsoft has launched its AI-powered “Support Virtual Agent” chatbot for Xbox Insiders in the U.S.,…

12 hours ago

Musk Says Tesla Won’t Enter Smartphone Market Unless Necessary

Android Authority recently polled its users to find out if they would purchase a Tesla…

13 hours ago

Sukkur IBA Sets Seven Conditions for Conducting MDCAT

The Secretary of the Sukkur IBA Testing Agency has formally requested urgent action from the…

13 hours ago

PSEB Opens Bidding for Nationwide e-Rozgar Centers

The Pakistan Software Export Board (PSEB) has launched a nationwide program to encourage IT startups…

14 hours ago

Google Play Services Bug Disrupts Access to Apps for Pixel Users: Here’s How to Fix It

A significant issue with Google Play Services has left many Pixel users unable to access…

14 hours ago

WhatsApp Beta Partners with Google for Innovative Image Search Feature

When it comes to Android messaging apps, WhatsApp stands out as one of the best.…

14 hours ago