Security researcher and bug hunter Arif Khan has discovered a browser address bar spoofing vulnerability that affects popular Chinese UC Browser and UC Browser Mini apps for Android. The vulnerability affects latest version of the UC Browser 126.96.36.1994 and UC Browser Mini 188.8.131.522.
Older versions of the browsers are not affected by the flaw, a circumstance that suggests that the URL Address Bar spoofing vulnerability was introduced with the implementation of a new feature.
The vulnerability exposes users to URL spoofing attacks, this means that attackers could change the URL displayed in the address bar of the mobile browser to trick victims into visiting a website under the control of the attackers and that could be used for several malicious purposes.
The UC Browser was developed by the firm UCWeb, it is widely adopted on mobile devices in China and India. The US Browser is currently used by more 600,000 users worldwide.
The flaw is related to the way User Interface on UC Browser and UC Browser Mini handles a built-in feature designed to improve users Google search experience.
“This vulnerability allows any attacker to pose (his phishing domain) as the targeted site, for example, a domain blogspot.com can pretend to be facebook.com, by simply making an user visit www.google.com.blogspot.com/?q=www.facebook.com” reads the blog post published by the expert.
To enhance user experience while searching something on “google.com,” or other search engines and websites, using UC Browsers, the browsers remove the domain from the address bar and only displays the search term.
Arif discovered that this behavior could be abused by attackers by creating subdomains on their own domain, as “www.google.com.phishing-site.com?q=www.facebook.com.” With this trick, vulnerable browsers use as a search query “www.facebook.com.”
Unaware users could be tricked into thinking they’re visiting a legitimate website when actually being displayed a phishing page.
“The fact that their regex rules just match the URL string, or, the URL any user is trying to visit a whitelist pattern but only check if the URL begins with a string like www.google.com can enable an attacker to bypass this regex check by simply using a subdomain on his domain like www.google.com.blogspot.com and attach the target domain name (which he wants to pose as) to the query portion of this subdomain like ?q=www.facebook.com,” continues the expert that also published the following video PoC.
The expert pointed out that the vulnerability in the UC browsers does not allow an attacker to spoof SSL indicator.
Khan reported the vulnerability to the UC Browser team more than a week ago, but the issue has not yet fixed.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.