Rapid 7 has disclosed a set of address bar spoofing vulnerabilities that affect a number of mobile browsers, ranging from the more common browsers, like Apple Safari and Opera Touch, to the less common, like Bolt Browser and RITS Browser. The announcement is a coordinated vulnerability disclosure publication with security researcher, Rafay Baloch.
Technically, address bar spoofing is an instance of CWE-451 from the Common Weakness Enumeration, and tends to be scored around a CVSS 4.3 or so, which seems like not that big of a deal, says Rapid 7. However, writes Tod Beardsley, "Mobile browsers are a pretty special sort of software that end up acting as a user’s multipass for all types of critical applications in their day-to-day life. Any type of malicious messing with how this application presents itself is kind of a big deal, and can have serious consequences for the user, even if the alterations are relatively minor."
Vendors affected included UCWeb, Opera, Yandex, Danyil Vasilenko, Raise IT Solutions, and Apple. As of time of writing, Apple, Raise IT solutions, Yandex, and Opera have released fixes, or are expected in the next weeks. Though some browsers are more popular than others, even some of these relatively obscure browsers, says Beardsley, have racked up hundreds of thousands downloads, while the more popular or common browsers have 100-500 million installs.
Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile security solutions, notes, “While the Common Weakness Enumeration (CWE) being discussed here is a legitimate threat, URL spoofing goes well beyond a patchable vulnerability."
Schless adds, "URL spoofing is one of the most common ways attackers trick people into clicking a phishing link - especially on mobile devices. We’re all used to tapping on links that are sent to our mobile devices. Think of the countless delivery notifications you get when you buy something online and how quickly you tap the link to check the tracking info. And because the screen is smaller, it’s really hard to identify a spoofed URL with discrete changes. For example, an attacker may add an accent or special character to one letter in the address that a user wouldn’t even notice."
According to Schless, mobile phishing is the fastest-growing problem for IT and security teams for this exact reason. "Mobile phishing attacks can be delivered through countless methods, such as text messages, emails, social media platforms, and third party messengers. Protecting against mobile phishing is very different than for desktops or laptops. Traditional security methods require content inspection, which you can’t do on a mobile device. It is also a massive invasion of privacy as we use our phones for personal activities, which could discourage end users from actually activating the tool - creating a bigger gap in the security posture," he says. " A modern approach to mobile phishing protection will only observe the URL requests being made out of a browser or any other app and block them if they’re malicious. This preserves end user privacy while simultaneously increasing adoption and strengthening your security strategy.”