Ordinary URL Spoofing Flaw Affects Firefox and Chrome

Security flaw related to rendering of URLs by Firefox and Chrome may let an attacker dupe end-user into going to some fake website.

Security Researcher Rafay Baloch, who discovered the flaw, is a winner of $5,000 for mixing a bug bounty. He explains that cyber-criminals could exploit the flaw and fool end-users into divulging personal credentials on a malware-rigged website, given the site looks genuine inside the address bar of the Web-browser.

Baloch in his earlier hacking experiment found the 'code execution from the remote' flaw within PayPal. He ended up a winner again because PayPal took him in for an employment along with rewarding him handsomely with $10,000. The spoofing of address bar of the stock browser in Android phone was also his discovery. The shortfall proved lethal for both Android's present and previous versions.

Elaborating the problem simply, it can be said that it relates to the way the aforementioned browsers make correspondences with URLs constructed with combined characters of LTR (Roman) and RTL (Arabic). Baloch states many browsers are obfuscated into inter-changing the URL parts, and thus duping the end-user into believing that he is on some other website instead of the one he is actually seeing.

That implies anybody opening the web-link that's possibly disguised within a tweet or spam mail will seem as visiting http://example.com, however, the website will be exhibiting material from Internet Protocol address.

Vulnerability in spoofing address bar can be successfully exploited as certain languages which are written left-to-right like Arabic are delivered in the unconventional way. For example, taking one right-to-left character like once typed forward slash, it's possible to use it for flipping an URL that can as well show a right-to-left rendering. Zdnet.com posted this, August 16, 2016.

Firefox 48 and Chrome 53, according to Baloch, have decided to resolve the problem. The problem existed and was resolved within Firefox for the vulnerability CVE-2016-5267, however, the exploitation pattern was slightly different as Mozilla (Firefox) utilizes some other codebase than Google (Chrome).

Bottom line: End-users require upgrading their Web-browsers to most recent editions for staying safe from the security bug.

» SPAMfighter News - 8/22/2016