Seven mobile browsers, including Apple’s Safari, are vulnerable to address bar spoofing, revealed a report by cybersecurity firm Rapid7.
The firm worked with Rafay Baloch, a Pakistani security researcher, and disclosed 10 new address bar spoofing vulnerabilities across these apps. Address bar spoofing is a way by which fake websites modify real URLs and take them over. This way, users assume that they’re using legitimate sites and share information, but are actually getting phished.
While Safari, Opera Touch, Bolt Browser are at risk on iOS devices. Opera Mini, UC Browser, Yandex, and RITS are vulnerable on Android devices. “First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and gives no indicators of forgery. Secondly, since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions,” commented Baloch.
The report shows how smartphones are more vulnerable to phishing and spoofing, and how this is a bigger risk for users. Smartphones are intrinsically tied to the daily life of users, across all applications. Any malicious activity can severely affect the user and their information.
Browsers on smartphones do not have much space to contain all security methods. There are no ways to validate sources of information, unlike PCs. “On phone browsers, sources begin and end with the URL as shown in the address bar. The fact of the matter is we don’t have much else to rely on,” revealed the report.
With minimal security indicators, many mobile browsers are at the risk of being affected. While Safari and Yandex came with immediate fixes, Opera released security updates for Opera Touch. Opera Mini will have these updates by early November. RITS browser plans to release fixes this week, while UC Browser and Bolt Browser haven’t commented on the issue yet.