Apple and Opera fix spoofing vulnerability in address bar of mobile browsers

Rapid7 security researchers have found ten bugs in seven mobile browsers that allow the URL to be spewed into an address bar. The bug has been fixed in Safari, and patches are coming out for multiple Opera browsers.

The vulnerability was discovered by Rapid7, which has teamed up with security researcher Rafay Baloch. In total, the researchers discovered ten vulnerabilities in mobile browsers. These are Safari on iOS 13.6, and Opera’s Touch and Mini browsers for iOS. In addition, several smaller browsers have been affected, including the Russian Yandex Browser, UC Browser, Bolt Browser and Zipper Browser. Not all bugs have been fixed yet.

The exploit is deployed between the moment a mobile web page loads and the moment the browser can refresh the address bar. At that point, an attacker could cause a pop-up or another website to appear, making it appear as if a legitimate website is being visited while it is a website with a different url. The bug can be exploited if victims come across a phishing website that can run JavaScript. One of the researchers has released a proof-of-concept in a paper.

Although the vulnerability exists in several browsers, not every browser maker has already fixed the vulnerability. The vulnerabilities have now been resolved only in Safari, Yandex and the Zipper Browser. Opera says it will release a fix on November 11, and with the Bolt Browser and the UC Browser, the researchers had no contact with the makers at all.