Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Address Bar Spoofing Vulnerability Found in Several Browsers

Chrome, Firefox and other web browsers are plagued by vulnerabilities that can be exploited to spoof their address bar. Some of the affected vendors are still working on addressing the issues.

Chrome, Firefox and other web browsers are plagued by vulnerabilities that can be exploited to spoof their address bar. Some of the affected vendors are still working on addressing the issues.

Pakistan-based researcher Rafay Baloch discovered that the address bar in Google Chrome, also known as the omnibox, can be tricked into flipping URLs.

The problem, which affects Chrome for Android, is related to how Arabic and Hebrew text is written from right to left (RTL). If an attacker’s URL starts with an IP address and it contains an Arabic character, the URL’s host and path are reversed.

For example, the URL 127.0.0.1/ا/http://example.com becomes http://example.com/‭ا/127.0.0.1 as it contains the “ا” character, the Arabic letter alef, which causes the URL to be rendered RTL. The method works with other Arabic characters as well, as long as they are the rightmost “strong” character – the numbers and the dots in the IP address are considered “weak” characters.

“The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic,” Baloch explained in a blog post. “In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.”

A similar vulnerability was also found in Firefox for Android (CVE-2016-5267). However, in Firefox’s case, the URL does not need to start with an IP address – the only requirement is that it contains Arabic characters that cause the URL to flip. For instance, http://عربي.امارات/google.com/test/test/test becomes google.com/test/test/test/عربي.امارات.

Google has known about this issue for more than a year. Baloch said he informed Google about its presence in the Android version of Chrome in May, and the company addressed it in late June. Mozilla patched the flaw in Firefox for Android on August 2.

Baloch told SecurityWeek that other browsers are affected as well, including desktop versions. In the case of Firefox and Chrome, the vulnerability only impacts the mobile versions.

The researcher has earned $3,000 from Google, $1,000 from Mozilla and $1,000 from an unnamed browser vendor that is currently working on fixing the bug.

Related: Address Bar Spoofing Bugs Found in Safari, Chrome for Android

Related: Google to Fix Address Spoofing Bug in Chrome

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.

Register

Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Vulnerabilities

Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Vulnerabilities

GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet