JavaScript-based address bar spoofing vulns patched in Safari, Yandex, Opera • The Register

Rapid7 discovered that Apple’s Safari browser and Opera Mini and Yandex browsers are both vulnerable to JavaScript-based address bar spoofing.

Infosec, together with his old friend, the hacker Rafai Baloch, discovered that it was possible to defraud software by making it display the URL of a website when downloading and displaying content from another site. This trick is especially useful for thieves and fraudsters who want to replace the login page of the banking system with a page that is supposed to collect information about the input of involuntary users.

Since we have few ways to verify the source of the data on our phones, the address bar is almost the only part of the screen that developers (angels and demons) are not allowed to change, Rapid7’s Tod Beardsley wrote in a blog post.

He then made a statement: Between the time a page is loaded and the time the browser’s address bar is updated, an attacker may cause a pop-up window from a website or display content in the browser window that has not been correctly identified as coming from a website.

If you want to hack commonly used JavaScript packages, try phishing developers through these DMARC-shaped holes in the Node.js keys ofdomains.


On his own website Baloch (who is no stranger to the study of address bar spoofing attacks) has published a proof of concept for the operation of the Yandex browser, the Safari and Opera code.

It should be noted that some mobile browsers with very large numbers of users do not even have special email to report vulnerabilities, which prevents security researchers from doing so, he said. Google Chrome and Firefox have a Bug Rewards program that is available for desktop and mobile browsers, although like Microsoft’s Bug Rewards program it is only available for desktop versions.

This study resulted in the release of patches for UCWeb (CVE-2020-7363 and 7364), Opera Touch, the Yandex browser (CVE-2020-7369), Safari (CVE-2020-9987) and the RITS browser (CVE-2020-7371). Upgrading these applications to their latest version should fill the gaps.

Opera Mini is scheduled to finish on the 11th. November has been corrected. Meanwhile, Bolt’s navigator also seems to have been exposed, although the escort was unable to contact Rapid7.

Jake Moore, an IT specialist at Eset, an antivirus company, told the registry’s end users not to worry if they have recently installed patches.

Usually we let our browser update itself automatically, which means we can sit back and surf safely without having to think of extra protection. But with some browsers it might not be that simple, he explained. It is disturbing to see that the link seems sincere when you click on it for a long time. However, as always, try to limit the amount of confidential information that is made public, or try to adhere to one of the proposed browsers that seem to fix this vulnerability more quickly.

He’s ready: While waiting for the patch to be released, I advise you to be even more cautious if emails and other messages contain links that could be suspicious. ®

Related Tags: