Hackers could exploit an address bar spoofing vulnerability found in a handful of widely-used mobile web browsers to deploy malware or conduct spear-phishing attacks.
Several mobile web browsers, including Safari and Opera Touch, were afflicted with a flaw that could allow an attacker to set up a malicious website and tempt a victim into opening a link from a spoofed email or text message.
This would then lead to the user downloading a malicious file or could put the victim at risk data therft, according to Rafay Baloch, an independent security researcher. Baloch worked in collaboration with Rapid7 to report the vulnerabilities to each browser developer.
The affected browsers, which also include UCWeb, Yandex Browser, Bolt Browser and RITS Browser, pose a risk in the way that an attacker can manipulate JavaScript to cause a pop-up to appear on a user’s device. This would be sourced from an arbitrary website, and the attacker could even render content in the browser to falsely appear as if it was sourced from an arbitrary website.
The site would need to be established by the attacker, and could be sent to victims through a phishing text or email with a spoofed contact number or identity, for example, a message that claims to be from PayPal.
The origin lies in the way a hacker could execute malicious JavaScript code in the arbitrary website to force the browser to update the address bar to another address of the attacker’s preference as the page loads.
“This seems like a pretty effective attack, given that the address bar is really the only signal you have to tell 'where' your browser 'is.' As it turns out, there are quite a few ways to get JavaScript to monkey with timing,” said director of research at Rapid7 Tom Beardsley.
RELATED RESOURCE
The complete guide to changing your phone system provider
Optimise your phone system for better business results
All vulnerabilities were disclosed to the respective developers in August following their discovery - and publicly revealed after sufficient time had elapsed. Both Apple and Opera immediately assigned tickets to fix the bugs affecting their browsers, with a Safari patch out now and an Opera Touch fix set for November.
Two vendors replied only days before public disclosure, one didn’t reply at all, while attempts to contact the last vendor bounced entirely.
-
How to implement a four-day week in techIn-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businessesIn-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
HPE eyes enterprise data sovereignty gains with Aruba Networking Central expansionNews HPE has announced a sweeping expansion of its Aruba Networking Central platform, offering users a raft of new features focused on driving security and data sovereignty.
-
Fortify your future: How HPE ProLiant Servers deliver top-tier cyber security, management, and performanceWhitepaper Deploy servers with a secure approach
-
Fortify your future with HPE ProLiant Servers powered by IntelWhitepaper Enhance your security and manage your servers more effectively
-
Architecting enterprise networks for the next decadeWhitepaper A new paradigm in network architecture
-
Why network monitoring tools fail within secure environmentsWhitepaper Gain visibility into devices, networks, and applications
-
Better together: HPE Aruba Networking CX switches and HPE Aruba Networking CentralWhitepaper Explore the power and simplicity of managing HPE Aruba Networking CX Switches with HPE Aruba Networking Central
-
Cyber-resilient infrastructure starts with server securitywhitepaper Take a security-focused approach when investing in the next wave of IT infrastructure.
-
Driving digital innovation with intelligent infrastructurewhitepaper Strong infrastructure investment is driving digital in all industries
