Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we\u2019re mostly trained to spot the telltale signs of a phishing site, but most of us rely on carefully examining the web address in the browser\u2019s address bar to make sure the site is legitimate.
\nBut even the browser\u2019s anti-phishing features \u2014 often the last line of defense for a would-be phishing victim \u2014 aren\u2019t perfect.
\nSecurity researcher Rafay Baloch found several vulnerabilities in some of the most widely used mobile browsers \u2014 including Apple\u2019s Safari, Opera and Yandex \u2014 which if exploited would allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords.<\/p>\n
Riot automatically educates your team about phishing<\/p>\n
The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser\u2019s address bar to any other web address that the attacker chooses.
\nIn at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate \u2014 when it wasn\u2019t.<\/p>\n
An address bar spoofing bug in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing bugs can make phishing emails look far more convincing. (Image: Rapid7\/supplied)<\/p>\n
Rapid7\u2019s research director Tod Beardsley, who helped Baloch with disclosing the vulnerabilities to each browser maker, said address bar spoofing attacks put mobile users at particular risk.
\n\u201cOn mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there\u2019s not a lot of space available for security signals and sigils,\u201d Beardsley told TechCrunch. \u201cWhile on a desktop browser, you can either look at the link you\u2019re on, mouse over a link to see where you\u2019re going or even click on the lock to get certificate details. These extra sources don\u2019t really exist on mobile, so the location bar not only tells the user what site they\u2019re on, it\u2019s expected to tell the user this unambiguously and with certainty. If you\u2019re on palpay.com instead of the expected paypal.com, you could notice this and know you\u2019re on a fake site before you type in your password.\u201d
\n\u201cSpoofing attacks like this make the location bar ambiguous, and thus, allow an attacker to generate some credence and trustworthiness to their fake site,\u201d he said.
\nBaloch and Beardsley said the browser makers responded with mixed results.
\nSo far, only Apple and Yandex pushed out fixes in September and October. Opera spokesperson Julia Szyndzielorz said the fixes for its Opera Touch and Opera Mini browsers are \u201cin gradual rollout.\u201d
\nBut the makers of UC Browser, Bolt Browser and RITS Browser \u2014 which collectively have more than 600 million device installs \u2014 did not respond to the researchers and left the vulnerabilities unpatched.
\nTechCrunch reached out to each browser maker but none provided a statement by the time of publication.<\/p>\n
A simple bug makes it easy to spoof Google search results into spreading misinformation<\/p>\n