Pakistani ethical hacker, Rafay Baloch, has exposed a vulnerability in Chrome and Firefox which essentially says that the way these browsers render website addresses could expose users to malicious websites that otherwise appear to be legitimate.
On Tuesday, Rafay Baloch published a blog on his website where he explained the address-bar spoofing bug. The bug could allow a hacker to trick the user by displaying a spoofed page for an invalid URL.
“Google security team themselves state that ‘We recognize that the address bar is the only reliable security indicator in modern browsers’ and if the only reliable security indicator could be controlled by an attacker it could carry adverse effects. For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is a legitimate website as the address bar points to the correct website. ”
This has earned him a $5000 bug bounty.
This address bar spoofing flaw works because several languages like Arabic and Hebrew are written from right to left. Due to mishandling of several Unicode characters and how they are rendered with a first strong character, let’s say, an IP address or an alphabet could lead to a spoofed URL. Rafay spotted this bug by placing neutral characters such as “/”, “ا” in the file path which, according to him, causes the URL to be flipped.
For example, 127.0.0.1/ا/http://example.com would instead appear in the browser bar as http://example.com/ا/127.0.0.1. This means that a person clicking on the link would assume to be going to example.com but the site would actually display data from 127.0.0.1. You can read about it in detail here.
According to Rafay, this vulnerability exists in some other browsers as well who are currently undergoing a fix which is why he refrained from mentioning them. However, Chrome and Firefox appear to have fixed the bug on his timely discovery and indication.
Rafay Baloch is a pretty accomplished penetration tester. Finding a bug with PayPal back in 2012, he managed to get a USD 10,000 bounty. In 2014, his work on a bug in Android got featured with Forbes and BBC. He also got featured on our 25 UNDER 25.
Editing by Muneeb Ahmad
Image — Hackread