A bug bounty hunter has discovered and publicly disclosed details of an unpatched browser address bar spoofing vulnerability that affects popular Chinese UC Browser and UC Browser Mini apps for Android.
Developed by Alibaba-owned UCWeb, UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than half a billion users worldwide.
According to the details security researcher Arif Khan shared with The Hacker News, the vulnerability resides in the way User Interface on both browsers handles a special built-in feature that was otherwise designed to improve users Google search experience.
The vulnerability, which has yet not assigned any CVE identifier, could allow an attacker to control URL string displayed in the address bar, eventually letting a malicious website to pose as some legitimate site.
The vulnerability affects the latest UC Browser version 220.127.116.114 and UC Browser Mini version 18.104.22.1682—that is currently being used by over 500 million and 100 million users respectively, according to Google Play Store.
Though the flaw is similar to the one Khan discovered last month in the MI browser that comes pre-installed on Xiaomi smartphones and the Mint browser, phishing pages served using the newly discovered vulnerability in UC Browser still leaves some indicators that vigilant users can spot.
When users search something on “google.com” using UC Browsers, the browsers automatically remove the domain from the address bar and rewrite it only to display the search query string to the user.
Arif found that the pattern matching logic used by UC Browsers is insufficient and can be abused by attackers by simply creating subdomains on their own domain, as “www.google.com.phishing-site.com?q=www.facebook.com,” tricking browsers into thinking that the given site is “www.google.com” and the search query is “www.facebook.com.”
The URL Address Bar spoofing vulnerability can be used to easily trick UC Browser users into thinking they’re visiting a trusted website when actually being served with a phishing page, as shown in the video demonstration.
“The fact that their regex rules just match the URL string, or, the URL any user is trying to visit a whitelist pattern but only check if the URL begins with a string like www.google.com can enable an attacker to bypass this regex check by simply using a subdomain on his domain like www.google.com.blogspot.com and attach the target domain name (which he wants to pose as) to the query portion of this subdomain like ?q=www.facebook.com,” Arif explains in a blog post.
Unlike Xiaomi browsers flaw, the UC browsers vulnerability does not allow an attacker to spoof SSL indicator, which is a basic and important factor that users cross-check to determine if a site is fake or legit.
The Hacker News has independently verified the vulnerability and can confirm it works on the latest versions of both web browsers available at the time of writing.
What’s interesting? The researcher also mentioned that some old and other versions of UC Browser and UC Browser Mini are not affected by this URL Address Bar spoofing vulnerability, which suggests that a “new feature might have been added to this browser sometime back which is causing this issue.”
Khan responsibly reported the vulnerability to the UC Browser security team more than a week ago, but the company has not yet addressed the issue and simply put an Ignore status on his report.
UC Browser was in the news just over a month ago when researchers found a “hidden” feature in its Android app that could have been exploited by attackers to remotely download and execute malicious code on Android phones and hijack them.