URL Flipping Vulnerability Found in Chrome and Firefox for Android

A recently discovered address bar spoofing vulnerability in the mobile versions of Firefox and Chrome could allow an attacker to steal user”s data by impersonating legitimate websites.

Security researcher Rafay Baloch says the vulnerability lies in the way browsers render RTL (right-to-left) text, such as Arabic and Hebrew. If an URL contains the Arabic character “|”, the URLs host and path are reversed when parsed by one of the two mobile browsers.

“The IP address part can be easily hided specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic,” wrote Baloch. “In order to make the attack more realistic unicode version of padlock can be used in order to demonstrate the presence of SSL.”

However, if for Chrome the only requirements were for the URL to start with the IP address and contain the Arabic character, for Firefox the URL only needs to contain Arabic characters to cause the flip. The technique could be used to mask malicious URLs that appear to be going to legitimate domains, when actually opening up similarly-looking webpages from malicious IP addresses.

The desktop version of Firefox seems unaffected by the vulnerability and has been rated as “moderate” in Mozilla”s CVE-2016-5267 advisory.

Both Google and Mozilla have patched the vulnerability, but the researcher stated that another browser – including its desktop version – has been affected. Its name has remained undisclosed to allow the vendor time to patch the issue.

Raking in up to $3,000 from Google, $1,000 from Mozilla, and another $1,000 from the unspecified vendor, it”s safe to assume that all vendors have acknowledged the severity of the flaw.

Users using Chrome version 53 and above, along with Firefox version 48 and above, are safe from the vulnerability, while the rest are strongly encouraged to make the update.