Security researcher and bug hunter Arif Khan has discovered a browser address bar spoofing vulnerability that affects popular Chinese UC Browser and UC Browser Mini apps for Android. The vulnerability affects latest version of the UC Browser 188.8.131.524 and UC Browser Mini 184.108.40.2062.
Older versions of the browsers are not affected by the flaw, a circumstance that suggests that the URL Address Bar spoofing vulnerability was introduced with the implementation of a new feature.
The vulnerability exposes users to URL spoofing attacks, this means that attackers could change the URL displayed in the address bar of the mobile browser to trick victims into visiting a website under the control of the attackers and that could be used for several malicious purposes.
The UC Browser was developed by the firm UCWeb, it is widely adopted on mobile devices in China and India. The US Browser is currently used by more 600,000 users worldwide.
The flaw is related to the way User Interface on UC Browser and UC Browser Mini handles a built-in feature designed to improve users Google search experience.
“This vulnerability allows any attacker to pose (his phishing domain) as the targeted site, for example, a domain blogspot.com can pretend to be facebook.com, by simply making an user visit www.google.com.blogspot.com/?q=www.facebook.com” reads the blog post published by the expert.
To enhance user experience while searching something on “google.com,” or other search engines and websites, using UC Browsers, the browsers remove the domain from the address bar and only displays the search term.
Arif discovered that this behavior could be abused by attackers by creating subdomains on their own domain, as “www.google.com.phishing-site.com?q=www.facebook.com.” With this trick, vulnerable browsers use as a search query “www.facebook.com.”
Unaware users could be tricked into thinking they’re visiting a legitimate website when actually being displayed a phishing page.
“The fact that their regex rules just match the URL string, or, the URL any user is trying to visit a whitelist pattern but only check if the URL begins with a string like www.google.com can enable an attacker to bypass this regex check by simply using a subdomain on his domain like www.google.com.blogspot.com and attach the target domain name (which he wants to pose as) to the query portion of this subdomain like ?q=www.facebook.com,” continues the expert that also published the following video PoC.
The expert pointed out that the vulnerability in the UC browsers does not allow an attacker to spoof SSL indicator.
Khan reported the vulnerability to the UC Browser team more than a week ago, but the issue has not yet fixed.