Tuesday, 15 December 2020

Address Bar Spoofing Vulnerability in Multiple Browsers




Address Bar Spoofing Vulnerability in Multiple Browsers(Jio Browser, Apple Safari Browser, BitDefender SafePay Browser and F-Secure Browser)




Jio Android Browser Address Bar Spoofing Vulnerability (Jio Browser, Apple Safari Browser, BitDefender SafePay Browser and F-Secure Browser)


Address Bar Spoofing/ URL Spoofing vulnerability allows an attacker to show fake/malicious content on a valid domain.

More Details on this is available over EHackingNews website


Ex. In the Left Side you can see on Address Bar showing as jio.com(Valid Content) and In the Right Side is also jio.com(Fake Contents) That's indicate an Address Bar Spoofing Vulnerability 



            
       jio.com(Valid Content)                                        jio.com(Fake Contents)
.                               



After banning Chinese applications in India, people are encourage to use #MadeInIndia apps to promote Apps made by Indian companies/peoples. 

Just like this Apps Made in India ex. Jio Browser got my attention as its have a Clean User Interface and easy to use feature just like other popular browser. While researching I found that Jio Browser isn't handling URL properly which allow a Malicious User to perform Address Bar Spoof attacks on User/Victims.

Here is the Video Demonstration



Tested Environment

Device  - One Plus 5T 
Android - 10.0.0
Jio Browser Version - 1.4.6

Timeline of Reporting
Initial Report-      Tue, Jun 30 2020


























Initial Response - They responded Within a hour and seen the POCs and acknowledge the report and we exchanged few emails.








Stop Responding - After few email exchange with them they Stop Responding me after Sep 5th 2020
Multiple(3) Reminder - Sent on Sep 5th and Sep 17th 2020





















Shared Timeline for my of Public Disclosure With Jio Team when they responding- Oct 7th and Oct 14th 2020
Public Disclosure was about to Out on 8th Nov but due to some issues couldn't make it.





Final Disclosure Made on- 20th Nov 2020.
Fixed - Looks like the new version of Jio Browser (Jio Pages) has fixed this issue, not confirmed.

===========================================================================


Apple Safari Web Browser Address Bar Spoofing Vulnerability

Just Like this Apple Safari Browser 13.1.1 Running on MacOS Catalina also found vulnerable. Here is the ScreenShot for the same.




Tested Environment

Device  - Macbook Pro Mid 2012
MacOS Catalina 10.15.5
Safari Version - 13.1.1

Timeline of Reporting
Initial Report-     June 21 2020
First Response - June 21 2020
Public Release of The Fixed - https://support.apple.com/en-in/HT211934 
Safari 14.0.1
CVE: 2020-9945
Acknowledgement of Public Disclosure Approval.



===========================================================================


BitDefender Safe Pay Web Browser Address Bar Spoofing Vulnerability



BitDefender Safe Pay Web Browser is also found affected for the same vulnerability. 


Here is the Video Demonstration.




Test Environment:
===============
Windows 10 Home 64 Bit with Latest Updates

Affected Product Details:
=======================
BitDefender AntiVirus Plus 2020
Build 24.0.26.137
Last Product Update 14-07-2020 15:21

Timeline
First Report - July 21, 2020
Acknowledged - July 28, 2020
CVE: 2020-15733
Fix Released: The fix was implemented by October 6th 2020.

===========================================================================


F-Secure Safe Android Browser Address Bar Spoofing Vulnerability



F-Secure have an Inbuilt Android Browser called "F-Safe" Android Browser which was found  affected for the same vulnerability. 


Here is the Video Demonstration.




Affected Product
Testing Environment - Android 10, Device OnePlus 5T.
F-Secure Android Antivirus Version - 17.8.0014763 FS_GP


Timeline
First Report - June 14, 2020
Fix Released via Version 17.9

===========================================================================



2 more popular browsers found vulnerable, will update this Blog Post once permission received from Vendor.











No comments:

Post a comment