The latest versions of UC Browser and UC Browser Mini Android apps with a total of over 600 million installs expose their users to URL spoofing attacks as explained by security researcher Arif Khan who found the flaw and reported it to the apps' security team.
URL spoofing attacks are based on the attackers' capability to change the URL displayed in the address bar of a web browser to trick their targets into thinking that the loaded website is controlled by a trusted party.
However, as is the case with the address bar spoofing vulnerability discovered by Khan in the UC Browser apps for Android, the site is actually controlled by the malicious actors behind the attack.
Unaware targets can be led to domains they control and camouflaging them as high-profile websites allowing potential attackers to steal their victims' information using phishing landing pages or to drop malware on their computers via malvertising campaigns.
The URL spoofing issue
"URL Address Bar spoofing is the worst kind of phishing attack possible. Because it's the only way to identify the site which the user is visiting," said Khan.
As the researcher says in his advisory, UC Browser and UC Browser Mini make it possible for would-be attackers to "pose (his phishing domain) as the targeted site, for example, a domain blogspot.com can pretend to be facebook.com, by simply making a user visit www[.]google[.]com[.]blogspot.com[/?q=]www.facebook.com."
"This is happening primarily because some mobile browsers are using bad regex checks. They are trying to enhance user UX by displaying only search term when the user searches for something on search engines like Google," also said Khan.
Unpatched URL Address Bar Spoofing Vulnerability affecting UC Browser and UC Browser Mini latest versions, 12.11.2.1184 and 12.10.1.1192
— Arif Khan (@payloadartist) May 8, 2019
Payload:
www[.]google[.]com.attacker.domain/?q=www.facebook[.]com
Writeup: https://t.co/TCl4GZlqw6
UC Browser PoC: pic.twitter.com/9FEvs8Gna8
According to the researcher, "Basically, they are only checking if the URL the user is visiting starts with www[.]google[.]com, as a result of which, attackers can bypass this regex check/leverage to strip the host and spoof the URL address bar."
To avoid exposing users, the two apps' developers should leave out UX "improvements" features and display the real domain in all cases "if they can't write good regex or, effectively secure this functionality."
"I find it worth mentioning that some old and other versions of UC Browsers are still not vulnerable to this, which puts me into confusion, which points at the fact that a new feature might have been added to this browser sometime back which is causing this issue," also says Khan.
UC Browser URL spoofing report ignored
Khan also provided BleepingComputer with two proof-of-concept (PoC) videos [UC Browser, UC Browser Mini] showing how would-be attackers could take advantage of the address bar spoofing flaw to lead potential victims to phishing sites or malvertising landing pages.
The issue was discovered in the UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192 versions and, at the time of this publication, the apps' developer UCWeb hasn't yet issued a patch even though the issue was responsibly disclosed by Khan to the UCWeb security team on April 30, 2019.
In addition, after the disclosure was registered in UCWeb's systems, the company's security team assigned an "Ignored" status to the report.
During late-March, the two Android browsers also exposed their users to man-in-the-middle (MiTM) attacks by downloading and installing extra modules from their own servers via unprotected and insecure channels, bypassing the Google Play Store servers altogether as discovered by Doctor Web.
As BleepingComputer later discovered, the desktop UC Browser app was also vulnerable to MiTM attacks which could allow bad actors to download malicious extensions on users' computers.
BleepingComputer has contacted UCWeb about the status of this vulnerability but have not heard back as of yet.
Post a Comment Community Rules
You need to login in order to post a comment
Not a member yet? Register Now