An “address bar spoofing” vulnerability refers to a bug in a web browser that allows a malicious website to modify its real URL and show a fake one instead — usually one for a legitimate site.
Address bar spoofing vulnerabilities have been around since the early days of the web, but they have never been so dangerous as they are today.
While on desktop browsers there are various signs and security features that could be used to detect when malicious code alters the address bar to display a bogus URL, this is not possible on mobile browsers where screen size is at a premium, and many of the security features found in desktop browsers are missing.
With the address bar being the only and last line of defense on mobile browsers, address bar spoofing vulnerabilities are many times more dangerous on smartphones and other mobile devices.
Ten address bar spoofing bugs found in seven mobile browsers
In a report published today by cyber-security firm Rapid7, the company said it worked with Pakistani security researcher Rafay Baloch to disclose ten new address bar spoofing vulnerabilities across seven mobile browser apps.
The issues were discovered earlier this year and reported to browser makers in August. The big vendors patched the issues right away, while the smaller vendors didn’t even bother replying to the researchers, leaving their browsers vulnerable to attacks.
The Rapid7 exec says that by messing with the timing between when the page loads and when the browser gets a chance to refresh the address bar URL, a malicious site could force the browser to show the wrong address.
A finer breakdown of the technical “shenanigans” of each bug is available here, as detailed by Baloch.
Exploiting any of these bugs requires (1) an outdated browser and (2) an attacker capable of luring users on malicious sites.
Beardsley believes that attacks are easy to mount and recommends that users update their browsers as soon as possible or move to browsers that are not affected by these bugs.