Seven Mobile Browsers Vulnerable To Address Bar Spoofing Attacks (zdnet.com) 13
In a report published today by cyber-security firm Rapid7, the company said it worked with Pakistani security researcher Rafay Baloch to disclose ten new address bar spoofing vulnerabilities across seven mobile browser apps. From a report: Impacted browsers include big names like Apple Safari, Opera Touch, and Opera Mini, but also niche apps like Bolt, RITS, UC Browser, and Yandex Browser. The issues were discovered earlier this year and reported to browser makers in August. The big vendors patched the issues right away, while the smaller vendors didn't even bother replying to the researchers, leaving their browsers vulnerable to attacks. "Exploitation all comes down to 'JavaScript shenanigans'," said Rapid7's Research Director, Tod Beardsley. The Rapid7 exec says that by messing with the timing between when the page loads and when the browser gets a chance to refresh the address bar URL, a malicious site could force the browser to show the wrong address.
oh good. old problems... (Score:4)
I guess I'm old now because I remember a bunch of hard-learned lessons about what you don't do in the URL bar, like allowing different fonts/character sets it uses, that made the front page of Slashdot. Things were all fine and dandy until Google decided Chrome didn't need to show you all the gak at the end of the URL, and now everyone's following suit.
Right now when I have an article from NPR up on Safari, latest iOS yadda yadda yadda, and it just says "NPR.org", I have to drill down deeper to find out what the actual URL to that article is. WHY? All you haveta do is fool whatever their parser's doing.... again...sigh.
Sorry there's no real content here I'm just frustrated that we've taken this step backwards and noone has yet to provide a compelling reason for it. I just can't wait until someone reinvents ActiveX.
Re:oh good. old problems... (Score:4, Funny)
Re: (Score:2)
and if web designers dont want users exposed to that nonsense then they can fucking simplify their URLs.
Another happy Sharepoint user...
Re: (Score:2)
They should go the other way with handling long URL's anyways. Instead of shortening them, and instead of fitting as much as it can in the single line address bar, it should expand to a multi-line address bar, always showing 100% of the URL, and if web designers dont want users exposed to that nonsense then they can fucking simplify their URLs.
No no, they have to uniquely identify you to accurately track you. You wouldn't want the tracking companies to lose profit due to possible tracking inaccuracy, right?
Yes, this was a sarcastic comment intended to convey truth and unhappiness.
Re: oh good. old problems... (Score:2)
First, JavaScript should not be able to write or modify the URL in the address bar for obvious reasons.
Second, JavaScript should not be able to read the address bar for privacy reasons.
Third, it should be possible for users to disable JavaScript either on a per site basis or globally.
Ad companies like google will whine, but JavaScript is a proven security risk. Over and over and over â¦
That's a good thing. That *is* the reason for it (Score:4, Informative)
"Fool the parser" *is* the "compelling reason for it".
As you may know, it's easy to construct a URL that will fool most people's mental parser, to trick them regarding which site the URL is for.
Slightly trickier is fooling the parser in the email filter or whatever that tries to catch such malicious URLs, but that can be done too.
The simplified address bar shows which site the *browser* is actually connecting to. After the browser parses the URL, the address bar shows which site is actually being loaded. (It doesn't, or shouldn't, pass an unparsed url string to be re-parsed again separately for display purposes).
The problem this article covers is that it showed which site the browser is connecting to - not which site the already used in the past, to load this page. So a page that redirects to Facebook.com will show facebook.com in the address bar - during the redirect. Start the redirect but don't let it finish and boom, you've caused the browser to show something that misleads the user. The major browsers have fixed that.
If you don't use your cellphone browser much... (Score:3)
...disable javascript.
Re: (Score:2)
"JavaScript shenanigans"
If the past history of these two words commonly found in close proximity is any guide, the end result and final outcome will almost certainly be an unexpected surprise, an unintended mistake or a serious crisis. JavaScript is the free gift delivering Shenanigans as an extra bonus. Just write 'JavaScript' and avoid the redundancy.
Not to be confused with... (Score:5, Informative)
They dont mention it but this is separate from the problem where the mobile browser hides the real URL bar and a website can render one within the page that looks like the real one. This is a big problem on mobile because mobile browsers are keen on hiding the URL bar to save space. It's also a problem on full screen desktop browsers.
UC Browser Issues (Score:2)
While I doubt that many people on Slashdot would be using it, UC Browser, one of the smaller browsers mentioned, also has other serious security and privacy issues. If you know someone with this thing on their phone, tell them to get rid of it.
https://www.securityweek.com/uc-browser-poses-security-privacy-risks-researchers
Yandex? (Score:2)
Isn't that the browser/search engine sponsored by the CCCP?
Err, the Russian government?
Err, recommended by Comrade Putin?
Err, president Putin?
Err . ,. .
I doubt older versions will get the fixes... (Score:2)
... like iOS v12.4.8's Safari. :(
Let's just do away with address bars all together. (Score:2)