Apple and Opera fix spoofing vulnerability in address bar of mobile browsers

Rapid7 security researchers have found ten bugs in seven mobile browsers that allow the URL to be spewed into an address bar. The bug has been fixed in Safari, and patches are coming out for multiple Opera browsers.

The vulnerability was discovered by Rapid7, which has teamed up with security researcher Rafay Baloch. In total, the researchers discovered ten vulnerabilities in mobile browsers. These are Safari on iOS 13.6, and Opera’s Touch and Mini browsers for iOS. In addition, several smaller browsers have been affected, including the Russian Yandex Browser, UC Browser, Bolt Browser and Zipper Browser. Not all bugs have been fixed yet.

The exploit is deployed between the moment a mobile web page loads and the moment the browser can refresh the address bar. At that point, an attacker could cause a pop-up or another website to appear, making it appear as if a legitimate website is being visited while it is a website with a different url. The bug can be exploited if victims come across a phishing website that can run JavaScript. One of the researchers has released a proof-of-concept in a paper.

Although the vulnerability exists in several browsers, not every browser maker has already fixed the vulnerability. The vulnerabilities have now been resolved only in Safari, Yandex and the Zipper Browser. Opera says it will release a fix on November 11, and with the Bolt Browser and the UC Browser, the researchers had no contact with the makers at all.

CVE Browser Status
CVE-2020-7363 UC Browser 13.0.8 Android No response from maker
CVE-2020-7364 UC Browser 13.0.8 Android No response from maker
Will follow Opera Mini 51.0.2254 Android Fix is ​​coming November 11th
Will follow Opera Touch 2.4.4 iOS Fix is ​​coming November 11th
Will follow Opera Touch 2.4.4 iOS Fix is ​​coming November 11th
Will follow Opera Touch 2.4.4 iOS Fix is ​​coming November 11th
CVE-2020-7369 Yandex Browser 20.8 Android Repaired
CVE-2020-7370 Bolt Browser 1.4 iOS No response from maker
CVE-2020-7371 Zipper Browser 3.3.9 Android Repaired
CVE-2020-9987 Safari on iOS 13.6 Repaired

Leave a comment