Pakistani hacker Rafay Baloch has exposed a flaw in Firefox and Chrome address bar to win a bounty of $5000. According to the hacker, the browsers render website addresses in such a manner that they could expose users to malicious website that apparently seem to be legitimate otherwise.
Rafay Baloch posted a blog on Tuesday where he explained the address bar hoaxing bug. The trap could allow a hacker to spoof the user by exhibiting a tricked page for an invalid URL. As a result, it could trick users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting a legitimate website as the address bar points to the correct website
Google security team states:
“We recognize that the address bar is the only reliable security indicator in modern browsers. If the only reliable security indicator could be controlled by an attacker it could carry adverse effects”
Technical details
According to Rafay Baloch, the address bar spoofing defect works because languages like Arabic are written from right to left. Due to mishandling of several Unicode characters, an IP address or an alphabet could lead to a spoofed URL. The hacker explained that the URL could be flipped by placing neutral characters such as “/” in the file path.
For example, 127.0.0.1/ا/https://pakwired.com would instead appear in the browser bar as https://pakwired.com/ا/127.0.0.1. This means anyone clicking on the link would assume to be going to pakwired.com but the site would actually display the content from 127.0.0.1.
According to Rafay Baloch, Chrome 53 and Firefox 48 have apparently fixed this issue upon timely discovery. He also mentioned that the same kind of vulnerability exists in some other browsers. However, due to responsible disclosure policy he abstained from commenting.
Rafay is credited with finding remote code execution vulnerability in Paypal. This led to Paypal offering him a job plus a huge monetary reward of $10,000. He also discovered the Android stock browser address bar spoofing which was fatal for the current as well as the earlier versions of android. He achievements also got featured in BBC and Forbes.
Leave a Reply
This site uses Akismet to reduce spam. Learn how your comment data is processed.
