Cyber Citadel's Lead Security Researcher Rafay Baloch and Security Researcher Muhammad Samak disclosed address bar spoofing vulnerabilities in DuckDuckGo browser for iOS, Video Downloader Browser for Android and Tap Browser for iOS.
The flaws can trick users into supplying sensitive information to attacker-controlled websites by displaying a trusted URL in the browser's address bar while the user is actually interacting with a malicious page. The vulnerabilities were reported through responsible disclosure, with a 60-day timeframe given to vendors before public disclosure. At the time of publishing, only DuckDuckGo had fixed the vulnerability.
Address Bar Spoofing Explained
Address bar spoofing bypasses SSL certificates and other visual trust indicators by manipulating the URL displayed in the browser. Users who check the address bar to verify they are on a legitimate site will see the URL of a trusted domain, even though the page content is being served from a completely different, malicious server.
The vulnerabilities were assigned a CVSS score of approximately 4.3, classified as medium severity. However, the real-world impact is amplified significantly by the broader threat landscape. During the Covid-19 pandemic, spear-phishing attacks rose by 667 per cent, with 2.1 million domains tied to phishing activity and 47 per cent of phishing attacks using fraudulent websites to harvest credentials.
Address bar spoofing combined with the surge in phishing activity creates a particularly dangerous threat to mobile users who rely on the address bar as their primary trust indicator.
DuckDuckGo Vulnerability
The DuckDuckGo vulnerability was assigned CVE-2021-44683. DuckDuckGo is one of the most popular privacy-focused browsers, downloaded approximately 5 million times per month. The iOS version 7.64.4 was found to be prone to address bar spoofing through the mishandling of the window.open JavaScript function.
By exploiting the way DuckDuckGo handled new windows opened via JavaScript, an attacker could display a trusted URL in the address bar while loading malicious content. Given DuckDuckGo's user base of privacy-conscious individuals, many of whom specifically choose the browser for its security features, this vulnerability was particularly concerning.
DuckDuckGo responded to the disclosure and released a fix in version 7.64.18.
Tap Browser Vulnerability
Tap Browser is an iOS-only browser with approximately 7,000 downloads. The vulnerability allowed an attacker to use secondary window spoofing to impersonate high-profile websites including Facebook, Gmail, Apple and Bing. Users interacting with what appeared to be login pages for these services could unknowingly submit their credentials to an attacker-controlled server.
At the time of publication, Tap Browser had not released a fix for the vulnerability.
HexCon Talk
In October 2021, Rafay Baloch presented the research at HexCon, the annual security conference. The presentation, titled "What you see, is not always what you get," provided a detailed technical walkthrough of the address bar spoofing techniques and their implications for mobile security. The talk demonstrated how the fundamental trust model of mobile browsers can be undermined through these vulnerabilities, and how the lack of visual security indicators on mobile devices makes users particularly susceptible.
Vendor Summary
- DuckDuckGo (iOS): CVE-2021-44683 — Affected version 7.64.4 — Fixed in version 7.64.18
- Video Downloader Browser (Android): Reported — Status pending at time of disclosure
- Tap Browser (iOS): Reported — Unfixed at time of disclosure