Apple, Opera and more aim to tackle address bar spoofing browser bug

News
By
published

Even your browser bar may be part of a phishing attack

(Image credit: Image Credit: Santeri Viinamäki / Wikimedia)

Several well-known and popular web browsers contain a vulnerability that makes them susceptible to phishing attacks. The bug allows threat actors to display a different address to the one that the victim is actually visiting.

The bugs were discovered by security researcher Rafay Baloch, who found vulnerabilities affecting Opera, Safari, Yandex and numerous others, largely affecting mobile devices. The security flaw is not as effective on desktop devices, where individuals can more easily view other indicators regarding a website’s legitimacy. On mobile screens, checking the address bar is the primary method of discerning whether a webpage is real or not.

The bug works by replacing the malicious web address with a reputable one of the attacker’s choosing in the time it takes for the webpage to load. In some of the examples given by Baloch, the security padlock was even displayed by the fake web address, further supporting its authenticity.

Still at risk

Some browsers have responded better than others to the discovery of this vulnerability. Apple and Yandex have already rolled out patches but many others simply did not respond to the disclosure.

“It is pertinent to mention here that several mobile browsers with huge userbases do not even have a dedicated email for reporting security vulnerabilities, which discourages security researchers from reporting security vulnerabilities,” Baloch wrote on his blog. “Google Chrome and Firefox have a bug bounty program in which both desktop and mobile browsers are in-scope, whereas Microsoft’s bug bounty program is only limited to desktop versions. Apart from this, there is a small subset of mobile browsers incentivizing security researchers and bug bounty hunters for reporting vulnerabilities.”

The browser bar vulnerability emphasizes the need for online users to remain vigilant against phishing attacks. Always question whether a link is genuine or not before clicking to avoid being taken to a malicious website and then double-check to see if anything looks suspicious once the page has loaded. 

Via TechCrunch

TOPICS
Barclay Ballard
Barclay Ballard

Barclay has been writing about technology for a decade, starting out as a freelancer with ITProPortal covering everything from London’s start-up scene to comparisons of the best cloud storage services.  After that, he spent some time as the managing editor of an online outlet focusing on cloud computing, furthering his interest in virtualization, Big Data, and the Internet of Things. 

Latest in Security
healthcare
Software bug meant NHS information was potentially “vulnerable to hackers”
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
botnet
YouTubers targeted by blackmail campaign to promote malware on their channels
A close-up of a phone screen showing the Telegram, Signal and WhatsApp apps
Agentic AI has “profound” issues with security and privacy, Signal President says
botnet
Another top security camera maker is seeing devices hijacked into botnet
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
Latest in News
Europe
Apple and Meta set to face fines for alleged breaches of EU DMA
Garmin Forerunner 965 on wrist in the dark
New Garmin leak suggests a release is days away, but don't get your hopes up for the Forerunner 975
Xbox Series X
Xbox is reportedly teaming up with a mystery manufacturer to launch a PC gaming handheld this year
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Lego Mario Kart – Mario & Standard Kart set on a shelf.
Lego just celebrated Mario Day in the best way possible, with an incredible Mario Kart set that's up for preorder now
More about security
botnet

YouTubers targeted by blackmail campaign to promote malware on their channels
A hacker wearing a hoodie sitting at a computer, his face hidden.

Experts warn this critical PHP vulnerability could be set to become a global problem
Europe

Apple and Meta set to face fines for alleged breaches of EU DMA
See more latest
Most Popular
Europe
Apple and Meta set to face fines for alleged breaches of EU DMA
Garmin Forerunner 965 on wrist in the dark
New Garmin leak suggests a release is days away, but don't get your hopes up for the Forerunner 975
Xbox Series X
Xbox is reportedly teaming up with a mystery manufacturer to launch a PC gaming handheld this year
ExpressVPN's Lightway Turbo upgrade – promo image
Can fast be faster? ExpressVPN promises it’s possible
Vodafone logo outside a store in Sydney
Vodafone employees could lose bonuses if they’re not in office 8 days per month
An image of a Jackbox Games Party Pack
Jackbox games is coming to smart TVs in mid-2025, and I can’t wait to be reunited with one of my favorite party video games
Google Gemini Calendar
Gemini is coming to Google Calendar, here’s how it will work and how to try it now
Ryzen AI Max+ 395
Race to launch most powerful AI mini PC ever heats up as GMKTec confirms Ryzen AI Max+ 395 product for May 2025
Apple iPhone 16e
Which affordable phone wins the mid-range race: the iPhone 16e, Nothing 3a, or Samsung Galaxy A56? Our latest podcast tells all
Apple's Craig Federighi demonstrates the iPhone Mirroring feature of macOS Sequoia at the Worldwide Developers Conference (WWDC) 2024.
Report: iOS 19 and macOS 16 could mark their biggest design overhaul in years – and we have one request