Cyber Citadel Lead Security Researcher Rafay Baloch together with Rapid7 Director of Research Tod Beardsley disclosed address bar spoofing vulnerabilities in seven mobile web browsing applications, putting hundreds of millions of users at risk.
The vulnerabilities affect some of the most widely used mobile browsers in the world, including Safari, Opera Touch, Yandex Browser, Bolt Browser, UC Browser and RITS Browser. Address bar spoofing allows an attacker to change the URL displayed in the browser's address bar, making a malicious website appear to be a legitimate, trusted domain.
Desktop vs Mobile Security
Desktop browsers have long provided visual security indicators to help users verify the identity of websites. Lock icons, SSL certificate information and extended validation certificates give users tools to confirm they are interacting with legitimate sites. These indicators, while not perfect, provide an important layer of defence against phishing and spoofing attacks.
Mobile browsers, however, lack the screen real estate to display these indicators effectively. The limited space available on mobile screens means that security information is often truncated, hidden behind menus or omitted entirely. Many mobile users are simply unaware of how to validate the identity of a website on their device, making them particularly vulnerable to address bar spoofing attacks.
The Technical Details
Baloch's proof of concept demonstrated how JavaScript manipulation of webpage loading behaviour could be exploited to spoof the address bar. The technique uses set interval functions that reload the page every 2 milliseconds, creating a race condition that prevents the browser from updating the address bar to reflect the actual URL being loaded.
This technique enables attackers to create fraudulent pop-ups and pages imitating banks, healthcare providers, government agencies and other trusted institutions. A victim visiting a link could be presented with what appears to be their bank's login page, complete with the bank's URL displayed in the address bar, while the page is actually hosted on an attacker-controlled server designed to harvest credentials.
Safari was particularly affected by the vulnerability. By default, Safari does not display port numbers in the address bar, which makes the spoofing attack even more convincing and harder for users to detect.
Vendor Response
Apple and Opera responded promptly to the disclosure and worked to develop patches for their respective browsers. Apple released a fix for Safari, and Opera addressed the vulnerability in Opera Touch.
However, other vendors were significantly slower to respond. UC Browser, which has over 500 million users worldwide, was slow to acknowledge and address the vulnerability. Yandex, Bolt and RITS browsers also took longer to respond, with some vendors not acknowledging the disclosure at all at the time of publication.
Researcher Background
Rafay Baloch has an extensive track record of discovering critical browser vulnerabilities. His previous research includes the discovery of address bar spoofing vulnerabilities in Google Chrome and Mozilla Firefox in 2016, as well as a critical vulnerability in the Android default browser in 2014 that affected a large portion of the global Android user base.
In 2012, Baloch was awarded a $10,000 bounty from PayPal for discovering a critical security vulnerability in the payment platform. He is listed in the security Halls of Fame of Google, Facebook, PayPal and Microsoft, recognition of his contributions to improving the security of some of the world's most widely used platforms.