Tuesday, May 19, 2015

Posted by Paulos Yibelo
No comments | 12:56 PM

The (kind of this) bug was a originally found by Deusen and then by Rafay Baloch. Affecting the Android Web Browser, and Safari in both OSX and iOS.

Here is a simple PoC to demonstrate the issue; if you see the URL, it says dailymail.co.uk when in reality, the page is actually hosted at another website.

So far, Safari and the Android Browser have been confirmed vulnerable by Baloch on a blog post earlier today.

But now, I also noticed this bug can be produced at Opera Android and Opera Mini browsers. 
function f()

The code is hilariously simple to understand, webpage reloads roughly every 10 milliseconds (random) using the setInterval() function, just before the browser can get the real page and so the user sees the ‘real’ web address instead of the fake one.

There is another example Rafay used though, is really valuable for spammers/phishers. He used www.google.com/csi (the one you see in the URL), but hosted content actually is being delivered to attacker controlled site.

Another example would be, say a page X (malicious) hosts a page similar to dailymail.co.uk with malicious content and you get to click on something like
<a href="http://malicioussite.com">http://dailymail.co.uk</a>

Its very likely you will click on that, when you instead will be redirected to

malicioussite.com but that site will spoof the URL and you will see dailymail.co.uk in the URL.
There are uncountable possibilities about this bug that will be bad for the average joe, the people without no technical backgroud. 

Google reported releasing patches for Android Lollipop (5.0.x) on April 7, and for Android KitKat (4.4.x) on April 30.


Post a Comment