Mobile browser flaw exposes users to spoofing attacks

Safari and Opera Touch browsers are among those which can be exploited to target victims with malware

Hackers could exploit an address bar spoofing vulnerability found in a handful of widely-used mobile web browsers to deploy malware or conduct spear-phishing attacks

Several mobile web browsers, including Safari and Opera Touch, were afflicted with a flaw that could allow an attacker to set up a malicious website and tempt a victim into opening a link from a spoofed email or text message. 

This would then lead to the user downloading a malicious file or could put the victim at risk data therft, according to Rafay Baloch, an independent security researcher. Baloch worked in collaboration with Rapid7 to report the vulnerabilities to each browser developer.

The affected browsers, which also include UCWeb, Yandex Browser, Bolt Browser and RITS Browser, pose a risk in the way that an attacker can manipulate JavaScript to cause a pop-up to appear on a user’s device. This would be sourced from an arbitrary website, and the attacker could even render content in the browser to falsely appear as if it was sourced from an arbitrary website.

The site would need to be established by the attacker, and could be sent to victims through a phishing text or email with a spoofed contact number or identity, for example, a message that claims to be from PayPal. 

The origin lies in the way a hacker could execute malicious JavaScript code in the arbitrary website to force the browser to update the address bar to another address of the attacker’s preference as the page loads.

“This seems like a pretty effective attack, given that the address bar is really the only signal you have to tell 'where' your browser 'is.' As it turns out, there are quite a few ways to get JavaScript to monkey with timing,” said director of research at Rapid7 Tom Beardsley.

Related Resource

The complete guide to changing your phone system provider

Optimise your phone system for better business results

How to change your phone system provider - whitepaper from AircallDownload now

All vulnerabilities were disclosed to the respective developers in August following their discovery - and publicly revealed after sufficient time had elapsed. Both Apple and Opera immediately assigned tickets to fix the bugs affecting their browsers, with a Safari patch out now and an Opera Touch fix set for November.

Two vendors replied only days before public disclosure, one didn’t reply at all, while attempts to contact the last vendor bounced entirely. 

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Critical flaw in vCenter Server could give hackers infrastructure access
vulnerability

Critical flaw in vCenter Server could give hackers infrastructure access

22 Sep 2021
Researchers disclose top flaws abused by ransomware gangs
ransomware

Researchers disclose top flaws abused by ransomware gangs

20 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021
How do hackers choose their targets?
hacking

How do hackers choose their targets?

17 Sep 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

17 Sep 2021