HackDig : Dig high-quality web security articles for hackers

Chrome and Firefox Affected by Simple URL Spoofing Bug That Facilitates Phishing

2016-08-17 03:05

Security researcher Rafay Baloch has discovered a simple way to defeat several browser security features and spoof URLs in the browser address bar using a very, very simple trick.

At the time of writing, Google and Mozilla have fixed the issue, but Baloch said that other vendors are still working on getting this corrected. The researcher also revealed he received a $5,000 reward from Google for his bug report.

Chrome handles mixed RTL-LTR links incorrectly

In a very simplistic explanation of the issue, the problem relies on how the browsers align URLs written with mixed RTL (Arabic) and LTR (Roman) characters.

According to Balock, several browsers get confused and end up switching parts of the URL, tricking the user into thinking he's accessing a different site than the one he's really on.

For example, in Chrome, this bug takes a URL in the form of 158.10.230.11/ا/http://google.com and switches it around the Arabic "ا" character like so: http://google.com/‭ا/158.10.230.11.

Flaw is terribly easy to weaponize

A hacker running a phishing site can take the server's IP, add one of few Arabic characters that trigger this behavior in the middle of the URL construction, and append the domain of a legitimate website at the end.

He can then embed this URL in spam email, SMS, or IM messages, and when the user clicks on it, he'll end up on a page that shows a URL starting with a valid domain, but in reality, he'd be on the crook's server.

"The IP address part can be easily hided [sic] specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/... /127.0.0.1) in order to make the attack look more realistic," Baloch explained.

Firefox affected as well

The same issue was present and fixed in Firefox (CVE-2016-5267), but with a slightly different exploitation scenario since Mozilla uses a different codebase from Google.

For Mozilla, the attackers had to use Arabic characters for the malicious URL, like so: http://عربي.امارات/google.com/test/test/test.

When accessing this link, the browser would display it in reverse as such: http://google.com/test/test/test/عربي.امارات/

Users should update their browsers to the latest versions to avoid being exposed to this security bug.

URL spoofing bug in Firefox
URL spoofing bug in Firefox


Source: tatilicaf-taht-gub-gnifoops-lru-elpmis-yb-detceffa-xoferif-dna-emorhc/swen/moc.aideptfos.swen

Read:4252 | Comments:0 | Tags:Security Fixes and Improvements

“Chrome and Firefox Affected by Simple URL Spoofing Bug That Facilitates Phishing”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools