A Pakistani security researcher discovered a vulnerability affecting Chrome and Firefox browser configurations of URLs in address bars.Rafay Baloch noticed that Chrome's Omnibox API re-orders the way URLs in some languages are displayed in the address bar.Characters in Arabic and Hebrew, for example, are displayed right-to-left, rather than left-to-right in the address bar. Baloch created a proof-of-concept test that demonstrates a malicious attacker could exploit the way Firefox and Google Chrome's Omnibox API displays URLs.In a blog post published Tuesday, Baloch wrote that “several other browsers” are affected by similar vulnerabilities. The other browsers are currently addressing the flaws and he will refrain from disclosure of the other browsers' vulnerabilities. “Details will be disclosed, once a fix has been landed.” Chrome and Firefox awarded Baloch a $5,000 bug bounty for his discovery of the spoofing flaw.In his proof-of-concept example, the URL “https://عربي.امارات/google.com/test/test/test” would appear in the address bar as “google.com/test/test/test/عربي.امارات”. An attacker could then direct users to a different website than the intended legitimate URL.
Incident Response, Network Security, TDR, Vulnerability Management
Chrome and Firefox address bar vulnerabilities allow spoofed URLs
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



