Browser Vulnerabilities: Microsoft Edge, Safari and DuckDuckGo Address Bar Spoofing vulnerabilities

Browser Vulnerabilities: Microsoft Edge, Safari and DuckDuckGo Address Bar Spoofing vulnerabilities

RedSecLabs security researchers Rafay Baloch and Muhammad Samaak discovered address bar spoofing vulnerabilities in widely used mobile browsers such as Safari, Microsoft Edge, and DuckDuckGo. These vulnerabilities have a significant impact, affecting millions of users worldwide.

Google has highlighted the severity of address bar spoofing within their Google Vulnerability Reward Program (VRP) guidelines. According to Google, address bar spoofing poses a significant threat as it undermines the only reliable security indicator in modern browsers. 

Under our responsible disclosure policy, RedSecLabs provided a 60-day window to the vendors to promptly address these vulnerabilities. Vendors took longer, Following our report, the vulnerabilities were fixed in both Apple Safari and Microsoft Edge browsers.

Understanding Address Bar Spoofing

Imagine browsing the internet on your mobile device, thinking you're on a safe website, only to realize that the address bar has deceived you. This deceptive tactic is known as Address Bar Spoofing. Cybercriminals manipulate the URL of a malicious website to mimic legitimate ones like google.com, bing.com, facebook.com, or apple.com, making it difficult to verify website authenticity and allowing attackers to easily trick users into disclosing personal information or downloading malware.

Vulnerabilities in Safari & Edge

Apple Safari is one of the most widely used browsers with 984 million estimated users globally. Additionally, Safari accounts for 24.71% of global mobile device browsers, a significant figure given Apple's 28.83% share of the smartphone market.

Despite the popularity, Safari isn’t immune to vulnerabilities, an address bar spoofing vulnerability was found in Safari version 9.5.

After reporting the issue, the vulnerability was addressed by the Apple and CVE-2023-42438 assigned.

Similar to Safari, Microsoft Edge Browser for IOS was also found vulnerable to an address bar spoofing attack. The repot was submitted to Microsoft MSRC program.

Proof of Concept

The exploit involves using the set interval function to reload the bing.com with no existing port "bing.com:8080" every 9.8 seconds. This constant reloading can confuse users regarding the authenticity of the URL during redirection.

Address Bar Spoofing Vulnerability in DuckDuckGo

The privacy browser DuckDuckGo's, boasting over 5M downloads, was also discovered to be vulnerable to an Address Bar Spoofing attack. The report was submitted via hackerone platform however it was marked as duplicate by DuckDuckGo security team.

Over time, RedSecLabs researchers have consistently discovered vulnerabilities in leading Web and Mobile browsers and continue to bring cutting edge research to improve software used by masses.