Mobile browser flaw exposes users to spoofing attacks

Safari and Opera Touch browsers are among those which can be exploited to target victims with malware

21 Oct 2020

An anonymous mobile phone user using their device in a darkened room

Shutterstock

Hackers could exploit an address bar spoofing vulnerability found in a handful of widely-used mobile web browsers to deploy malware or conduct spear-phishing attacks.

Several mobile web browsers, including Safari and Opera Touch, were afflicted with a flaw that could allow an attacker to set up a malicious website and tempt a victim into opening a link from a spoofed email or text message.

This would then lead to the user downloading a malicious file or could put the victim at risk data therft, according to Rafay Baloch, an independent security researcher. Baloch worked in collaboration with Rapid7 to report the vulnerabilities to each browser developer.

The affected browsers, which also include UCWeb, Yandex Browser, Bolt Browser and RITS Browser, pose a risk in the way that an attacker can manipulate JavaScript to cause a pop-up to appear on a user’s device. This would be sourced from an arbitrary website, and the attacker could even render content in the browser to falsely appear as if it was sourced from an arbitrary website.

The site would need to be established by the attacker, and could be sent to victims through a phishing text or email with a spoofed contact number or identity, for example, a message that claims to be from PayPal.

The origin lies in the way a hacker could execute malicious JavaScript code in the arbitrary website to force the browser to update the address bar to another address of the attacker’s preference as the page loads.

“This seems like a pretty effective attack, given that the address bar is really the only signal you have to tell 'where' your browser 'is.' As it turns out, there are quite a few ways to get JavaScript to monkey with timing,” said director of research at Rapid7 Tom Beardsley.

Related Resource

The complete guide to changing your phone system provider

Optimise your phone system for better business results

How to change your phone system provider - whitepaper from Aircall

.imgHideOnJavaScriptDisabled_eexbtrkv4bfd5t { display: none !important; }

Download now

All vulnerabilities were disclosed to the respective developers in August following their discovery - and publicly revealed after sufficient time had elapsed. Both Apple and Opera immediately assigned tickets to fix the bugs affecting their browsers, with a Safari patch out now and an Opera Touch fix set for November.

Two vendors replied only days before public disclosure, one didn’t reply at all, while attempts to contact the last vendor bounced entirely.