The infosec outfit, along with its “longtime mobile hacker friend Rafay Baloch,” discovered the software could be tricked into displaying the URL of one website while loading and displaying content from another. Such trickery is useful to, among others, thieves and fraudsters who might want to replace a bank’s online login page with one designed to harvest unwitting users’ login details.
“Because we have very few ways to actually validate the source of data on our phones, the address bar is pretty much the only bit of screen real estate that developers (angelic and devilish alike) are prohibited from monkeying with,” wrote Rapid7’s Tod Beardsley in a blog post.
He went on to explain: “By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”
Over on his own website, Baloch (no stranger to researching address bar spoofing attacks) published proof-of-concept code for exploiting Yandex Browser, Safari and Opera.
“It’s is pertinent to mention here that several mobile brow ..