In a report published today by cyber-security firm Rapid7, the company said it worked with Pakistani security researcher Rafay Baloch to disclose ten new address bar spoofing vulnerabilities across seven mobile browser apps. From a report: Impacted browsers include big names like Apple Safari, Opera Touch, and Opera Mini, but also niche apps like Bolt, RITS, UC Browser, and Yandex Browser. The issues were discovered earlier this year and reported to browser makers in August. The big vendors patched the issues right away, while the smaller vendors didn’t even bother replying to the researchers, leaving their browsers vulnerable to attacks. “Exploitation all comes down to ‘JavaScript shenanigans’,” said Rapid7’s Research Director, Tod Beardsley. The Rapid7 exec says that by messing with the timing between when the page loads and when the browser gets a chance to refresh the address bar URL, a malicious site could force the browser to show the wrong address.
of this story at Slashdot.
Source:: Slashdot