Safari, other mobile browsers affected by address bar spoofing flaws

Security researcher Rafay Baloch has discovered address bar spoofing vulnerabilities in several mobile browsers, which could allow attackers to trick users into sharing sensitive information through legitimate-looking phishing sites.

address bar spoofing mobile

“With ever growing sophistication of spear phishing attacks, exploitation of browser-based vulnerabilities such as address bar spoofing may exacerbate the success of spear phishing attacks and hence prove to be very lethal,” he noted.

“First and foremost, it is easy to persuade the victim into stealing credentials or distributing malware when the address bar points to a trusted website and giving no indicators forgery, secondly since the vulnerability exploits a specific feature in a browser, it can evade several anti-phishing schemes and solutions.”

The address bar spoofing vulnerabilities and affected mobile browsers

Unlike desktop browsers, mobile browsers are not great at showing security indicators that might point to a site’s malicious nature. In fact, pretty much the only consistent indicator is the address bar (i.e. a suspicious-looking URL in it).

So if the attacker is able to spoof the URL and show the one the user expects – for example, apple.com for a phishing site that impersonates Apple – chances are good the user will enter their login credentials into it. The vulnerabilities discovered by Baloch permit exactly that, and affect the:

  • UC Browser, Opera Mini, Yandex Browser and RITS Browser for Android
  • Opera Touch, Bolt Browser and Safari for iOS

“Exploitation all comes down to ‘Javascript shenanigans’,” noted Rapid7’s Tod Beardsley, who helped Baloch disclose the flaws to the developers of the affected browsers.

“By messing with the timing between page loads and when the browser gets a chance to refresh the address bar, an attacker can cause either a pop-up to appear to come from an arbitrary website or can render content in the browser window that falsely appears to come from an arbitrary website.”

Fixes for some, not for others

As 60+ days have passed since the vendors were appraised of the existence of the flaws, Baloch released some details and several PoC exploits.

In the meantime:

  • Apple and Yandex pushed out fixes
  • Opera released security updates for Opera Touch and is expected to do the same for Opera Mini in early November
  • Raise IT Solutions planned to release a fix for the RITS Browser this week, but hasn’t yet
  • UCWeb (the creators of the UC Browser) haven’t responded to the report, and it’s doubtful whether the creator of the Bolt Browser knowns about the vulnerabilities, as they haven’t been able to contact him (disclosure notification bounced when sent to the support email listed)

Users should implement the offered updates (if they don’t have the “auto-update” option switched on). Those who use browsers that still don’t have fixes available might want to consider switching to a browser that’s more actively developed/patched.

But all should be extra careful when thinking about clicking on links received via text or email from unknown sources. These flaws have been remediated, but other similar ones will surely be discovered in the future – let’s just hope it’s by researchers, and not attackers.

Safari 14: New privacy and security features

Apple has released Safari 14, which features many functional improvements, a Privacy Report that shows all the trackers the browser has neutralized, and and does not support Adobe Flash anymore.

Safari 14 privacy

New features

Safari 14 sports a redesign of the tab bar, which now displays site favicons by default and previews of the contents of some pages (when the user hovers over a tab), and a customizable start page.

It also features improved extension support, as Apple has already put things in motion to allow app developers to easily convert their existing extension into a Safari web extension or build a new one, and support for.

But on to the Safari 14 privacy and security additions:

Privacy Report

The Privacy Report shows the cross-site trackers that Intelligent Tracking Prevention (ITP) prevented from accessing identifying information, and how many and which trackers the visited websites sport. It also shows which entity is behind each tracker.

ITP uses on-device machine learning to identify and block the trackers, and known trackers are independently verified by DuchDuckGo. Safari blocks trackers only if the “Prevent cross-site tracking” option is turned on, and the Privacy Report can only be compiled if users have turned ITP on.

Safari 14 privacy

The report is accessible through the “Safari” tab, via the start page, and via the shield-style icon to the left of the browser’s address bar.

Secure password monitoring

Safari 14 will notify users when one of their saved passwords in iCloud Keychain has shown up in a data breach (iCloud Keychain has to be enabled, of course).

It will also allow them to immediately change the password by pointing them to the correct page for each website (if the admin has specified the page’s URL in the web server’s .well-known directory).

Removed support for Adobe Flash for improved security

Adobe Flash has been a thorn in security-minded users’ and cybersecurity professionals’ side for many years, as its vulnerabilities were often exploited by attackers.

Three years ago, browser makers have announced that they would drop Flash support by the end of 2020, and now the time has come for the move. Adobe Flash will reach end-of-life on December 31, 2020.

Fixed vulnerabilities

Apple has fixed four WebKit vulnerabilities in Safari 14. All can be triggered by the browser processing maliciously crafted web content and three could lead to arbitrary code execution.

More information about and a PoC for the one discovered by Marcin “Icewall” Noga of Cisco Talos can be found here.