Vulntober: Multiple Mobile Browser Address Bar Spoofing Vulnerabilities

Vulntober: Multiple Mobile Browser Address Bar Spoofing Vulnerabilities

Today, we're announcing a coordinated vulnerability disclosure publication with our longtime mobile hacker friend, Rafay Baloch. If you'd like to just jump straight to the technical details for these vulnerabilities, I invite you to read his paper here. If you want to know more about why this vulnerability class matters, read on!


What we're disclosing today is a set of address bar spoofing vulnerabilities that affect a number of mobile browsers, ranging from the more common browsers, like Apple Safari and Opera Touch, to the less common, like Bolt Browser and RITS Browser. Technically, address bar spoofing is an instance of CWE-451 from the Common Weakness Enumeration, and tends to be scored around a CVSS 4.3 or so, which seems like not that big of a deal.


Mobile devices and security sigils


But here's the thing: Mobile browsers are a pretty special sort of software that end up acting as a user’s multipass for all types of critical applications in their day-to-day life. Any type of malicious messing with how this application presents itself is kind of a big deal, and can have serious consequences for the user, even if the alterations are relatively minor.


..

Support the originator by clicking the read the rest link below.