Mobile browser flaw exposes users to spoofing attacks

Safari and Opera Touch browsers are among those which can be exploited to target victims with malware

Hackers could exploit an address bar spoofing vulnerability found in a handful of widely-used mobile web browsers to deploy malware or conduct spear-phishing attacks

Several mobile web browsers, including Safari and Opera Touch, were afflicted with a flaw that could allow an attacker to set up a malicious website and tempt a victim into opening a link from a spoofed email or text message. 

This would then lead to the user downloading a malicious file or could put the victim at risk data therft, according to Rafay Baloch, an independent security researcher. Baloch worked in collaboration with Rapid7 to report the vulnerabilities to each browser developer.

The affected browsers, which also include UCWeb, Yandex Browser, Bolt Browser and RITS Browser, pose a risk in the way that an attacker can manipulate JavaScript to cause a pop-up to appear on a user’s device. This would be sourced from an arbitrary website, and the attacker could even render content in the browser to falsely appear as if it was sourced from an arbitrary website.

The site would need to be established by the attacker, and could be sent to victims through a phishing text or email with a spoofed contact number or identity, for example, a message that claims to be from PayPal. 

The origin lies in the way a hacker could execute malicious JavaScript code in the arbitrary website to force the browser to update the address bar to another address of the attacker’s preference as the page loads.

“This seems like a pretty effective attack, given that the address bar is really the only signal you have to tell 'where' your browser 'is.' As it turns out, there are quite a few ways to get JavaScript to monkey with timing,” said director of research at Rapid7 Tom Beardsley.

Related Resource

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

All vulnerabilities were disclosed to the respective developers in August following their discovery - and publicly revealed after sufficient time had elapsed. Both Apple and Opera immediately assigned tickets to fix the bugs affecting their browsers, with a Safari patch out now and an Opera Touch fix set for November.

Two vendors replied only days before public disclosure, one didn’t reply at all, while attempts to contact the last vendor bounced entirely. 

Featured Resources

Humility in AI: Building trustworthy and ethical AI systems

How humble AI can help safeguard your business

Download now

Future of video conferencing

Optimising video conferencing features to achieve business goals

Download now

Leadership compass: Privileged Access Management

Securing privileged accounts in a high-risk environment

Download now

Why you need to include the cloud in your disaster recovery plan

Preserving data for business success

Download now

Recommended

What is AES encryption?
Advanced Encryption Standard (AES)

What is AES encryption?

30 Nov 2020
UK's Huawei 5G ban brought forward to September 2021
Security

UK's Huawei 5G ban brought forward to September 2021

30 Nov 2020
Hacker claims to be selling C-suite executives' Microsoft credentials
Security

Hacker claims to be selling C-suite executives' Microsoft credentials

30 Nov 2020
What are biometrics?
Security

What are biometrics?

27 Nov 2020

Most Popular

What is phishing?
phishing

What is phishing?

25 Nov 2020
Huawei Mate 40 Pro 5G review: A tragically brilliant Mate
Mobile Phones

Huawei Mate 40 Pro 5G review: A tragically brilliant Mate

26 Nov 2020
Samsung Galaxy Note might be discontinued in 2021
Mobile Phones

Samsung Galaxy Note might be discontinued in 2021

1 Dec 2020