Mobile browser flaw exposes users to spoofing attacks

Safari and Opera Touch browsers are among those which can be exploited to target victims with malware

Hackers could exploit an address bar spoofing vulnerability found in a handful of widely-used mobile web browsers to deploy malware or conduct spear-phishing attacks

Several mobile web browsers, including Safari and Opera Touch, were afflicted with a flaw that could allow an attacker to set up a malicious website and tempt a victim into opening a link from a spoofed email or text message. 

This would then lead to the user downloading a malicious file or could put the victim at risk data therft, according to Rafay Baloch, an independent security researcher. Baloch worked in collaboration with Rapid7 to report the vulnerabilities to each browser developer.

The affected browsers, which also include UCWeb, Yandex Browser, Bolt Browser and RITS Browser, pose a risk in the way that an attacker can manipulate JavaScript to cause a pop-up to appear on a user’s device. This would be sourced from an arbitrary website, and the attacker could even render content in the browser to falsely appear as if it was sourced from an arbitrary website.

The site would need to be established by the attacker, and could be sent to victims through a phishing text or email with a spoofed contact number or identity, for example, a message that claims to be from PayPal. 

The origin lies in the way a hacker could execute malicious JavaScript code in the arbitrary website to force the browser to update the address bar to another address of the attacker’s preference as the page loads.

“This seems like a pretty effective attack, given that the address bar is really the only signal you have to tell 'where' your browser 'is.' As it turns out, there are quite a few ways to get JavaScript to monkey with timing,” said director of research at Rapid7 Tom Beardsley.

Related Resource

The complete guide to changing your phone system provider

Optimise your phone system for better business results

How to change your phone system provider - whitepaper from AircallDownload now

All vulnerabilities were disclosed to the respective developers in August following their discovery - and publicly revealed after sufficient time had elapsed. Both Apple and Opera immediately assigned tickets to fix the bugs affecting their browsers, with a Safari patch out now and an Opera Touch fix set for November.

Two vendors replied only days before public disclosure, one didn’t reply at all, while attempts to contact the last vendor bounced entirely. 

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

Improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

UK's first government cyber strategy aims to bolster public sector defences
cyber security

UK's first government cyber strategy aims to bolster public sector defences

25 Jan 2022
IT Pro Podcast Special Edition: Learning to live with risk
Sponsored

IT Pro Podcast Special Edition: Learning to live with risk

25 Jan 2022
Russia's "politically motivated" REvil raid could be used as leverage, experts warn
ransomware

Russia's "politically motivated" REvil raid could be used as leverage, experts warn

17 Jan 2022
Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp
phishing

Meta files lawsuit to uncover hackers targeting Facebook, WhatsApp

21 Dec 2021

Most Popular

Dell XPS 15 (2021) review: The best just got better
Laptops

Dell XPS 15 (2021) review: The best just got better

14 Jan 2022
Sony pulls out of MWC 2022
Business operations

Sony pulls out of MWC 2022

14 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022