A URL address bar spoofing vulnerability if left unpatched could take mobile browsers to a fraudulent website where the attackers would steal the account credentials and credit card information of individuals.
Tod Beardsley, director of research at Rapid7, which disclosed the vulnerability, said the flaw, which has been patched by most major browser vendors, is an instance of CWE-451 from the Common Weakness Enumeration. It is cause for concern because victims on mobile devices can’t tell the difference between the real site and the fake site victims land on.
In its most common iteration, a user would either get lured to click on a link on a forum (Reddit) or social media site, or receive a text on their mobile device with a link that would take them to the fraudulent site. In every instance, once the user clicks, he’s asked to give up something, whether it’s credentials or credit card information.
“I can’t really tell the difference,” Beardsley said. “The mobile address bar is so small that it’s literally impossible to distinguish between the real site the fraudulent site.”
Beardsley said many of the major browser vendors, such as Apple Safari and Opera, have already issued patches for the vulnerability, which was discovered last summer by researcher Rafay Baloch. Rapid7 also heard from Yandex and RITS, which indicated they intend to issue a fix. Both UC and Bolt, which were also affected by the vulnerability, have yet to contact Rapid7 about a patch.
While the vulnerability has been patched for the vast majority of mobile users and there’s really no imminent danger, Beardsley said he was concerned that the technique could get into the wrong hands, for example, a bad actor who wanted to spread misinformation about COVID-19.
Hank Schless, senior manager, security solutions at Lookout, said URL spoofing has become one of the most common ways attackers can trick people into clicking a phishing link – especially on mobile devices.
“Mobile phishing attacks can be delivered through countless methods, such as text messages, emails, social media platforms, and third-party messengers,” Schless said. “We’re all used to tapping on links that are sent to our mobile devices. Think of the countless delivery notifications you get when you buy something online and how quickly you tap the link to check the tracking info. And because the screen is smaller, it’s really hard to identify a spoofed URL with discrete changes. For example, an attacker may add an accent or special character to one letter in the address that a user wouldn’t even notice.”