Pakistani
ethical hacker, Rafay Baloch, has exposed a vulnerability in Chrome and
Firefox which essentially says that the way these browsers render website
addresses could expose users to malicious websites that otherwise appear to be
legitimate.
On
Tuesday, Rafay Baloch published a blog on his website where
he explained the address-bar spoofing bug. The bug could allow a hacker to
trick the user by displaying a spoofed page for an invalid URL.
“Google
security team themselves state that ‘We recognize that the address bar is the only
reliable security indicator in modern browsers’ and if the only
reliable security indicator could be controlled by an attacker it could carry
adverse effects. For instance potentially tricking users into supplying
sensitive information to a malicious website due to the fact that it could
easily lead the users to believe that they are visiting is a legitimate
website as the address bar points to the correct website. ”
This
has earned him a $5000 bug bounty.
This
address bar spoofing flaw works because several languages like Arabic and
Hebrew are written from right to left. Due to mishandling of several Unicode
characters and how they are rendered with a first strong character, let’s say,
an IP address or an alphabet could lead to a spoofed URL. Rafay spotted this
bug by placing neutral characters such as “/”, “ا” in the file path which,
according to him, causes the URL to be flipped.
For
example, 127.0.0.1/ا/http://example.com would instead appear in the browser bar
as http://example.com/ا/127.0.0.1.
This means that a person clicking on the link would assume to be going to example.com but the site would
actually display data from 127.0.0.1. You can read about it in detail here.
According
to Rafay, this vulnerability exists in some other browsers as well who are
currently undergoing a fix which is why he refrained from mentioning them.
However, Chrome and Firefox appear to have fixed the bug on his timely
discovery and indication.
Rafay
Baloch is a pretty accomplished penetration tester. Finding a bug with PayPal
back in 2012, he managed to get a USD 10,000 bounty. In 2014, his work on a bug
in Android got featured with Forbes and BBC. He also got featured on our 25
UNDER 25.
Editing
by Muneeb Ahmad
No comments:
Post a Comment