Technology

Pakistani white-hat hacker finds vulnerabilities in multiple mobile browsers

Renowned Pakistani white-hat hacker and information security researcher, Rafay Baloch, has found vulnerabilities in multiple browsers.

Rafay has published a detailed paper on his website about the vulnerabilities and the browsers that are currently affected by them. Currently, most of us trust a website if the URL at the top looks okay. According to the demonstration made by Rafay, this can be exploited by a technique called address bar spoofing.

This works by showing the same URL as a site you trust while you are on a different site altogether. Say you want to go to bing.com so you click on a link to take you to Bing. You look at the top and it says bing.com but it won’t be Bing.

He has done this by using the following code (if you don’t understand code, you can just skip to the output image):

<p class="test"><input class="btn btn-success btn-lg" type="button" value="Run test case"
>
window.open(&quot;https://www.bing.com&quot;, &quot;WIN&quot;);
win.window.stop();
win.document.write('This is not Facebook');
win.document.close();
" /></p>

The above output is from Opera Touch in iOS which is a very famous mobile browser. Similarly, the code was tested in multiple browsers on different operating systems. This was disclosed by the hacker as early as September to browser companies. Only Apple and Opera have responded to this according to Rafay Baloch.

The affected browsers are listed below:

CVE Vendor Browser Version Platform Fixed?
CVE-2020-7363 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE-2020-7364 UCWeb UC Browser 13.0.8 Android No reply from vendor
CVE TBD-Opera Opera Opera Mini 51.0.2254 Android Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE TBD-Opera Opera Opera Touch 2.4.4 iOS Fix expected from vendor Nov. 11, 2020
CVE-2020-7369 Yandex Yandex Browser 20.8 Android Automated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370 Danyil Vasilenko Bolt Browser 1.4 iOS Support email bounced, alerted Apple product security
CVE-2020-7371 Raise IT Solutions RITS Browser 3.3.9 Android Fix expected Oct. 19, 2020
CVE-2020-9987 Apple Apple iOS 13.6 iOS Fix released Sept. 16, 2020

 

Since COVID started, multiple browsers were found to be vulnerable to phishing attacks as well. This is worrying as a vendor like UCWeb has not even responded to the disclosure. UC browser is used by more than 500 million users.

Image Source: Computerworld

Sponsored
Talha Ikram

Share
Published by
Talha Ikram

Recent Posts

Rumors Indicate iPhone 17 May Feature Unconventional Camera Design

Apple is reportedly preparing for a significant design overhaul with its iPhone 17 series, blending…

3 hours ago

First AI-Powered Teacher Launched in Pakistan’s Private School

Karachi: A private school in Karachi has unveiled Pakistan’s first AI-powered teacher, a groundbreaking move…

4 hours ago

Yahoo Surprises Users with Its Latest Android Launcher

Third-party apps have long been a staple of the Android ecosystem, but their appeal has…

5 hours ago

Phase-II Review of PTCL-Telenor Deal Finalized by CCP

ISLAMABAD: The Competition Commission of Pakistan (CCP) has completed its Phase-II review of Pakistan Telecommunication…

5 hours ago

Xiaomi’s SU7 Achieves New Production Record, Driving Q3 Growth

Xiaomi has shattered records by producing 100,000 vehicles in just 230 days. This is nearly…

7 hours ago

Teachers Can Now Access OpenAI’s Free AI Course

OpenAI, in collaboration with nonprofit organization Common Sense Media, announced on Wednesday the launch of…

8 hours ago