With much more than 5 million installations, the open source DuckDuckGo Privacy Browser for Android version 5.26.0 allows potential attackers to deploy URL spoofing attacks designed to attack users of the app by employing an address bar spoofing vulnerability.
Security analyst Dhiraj Mishra discovered the flaw monitored as CVE-2019-12329 and reported it on the HackerOne bug bounty and vulnerability coordination platform to the security staff of the apps via their bug bounty initiative.
The researcher claims that he conceived the proof of concept by spoofing the omnibar of DuckDuckGo Privacy Browser with the help of a specially crafted JavaScript page that uses the setInterval function to reload a URL every 10 to 50 ms.
In the report of Bleeping Computer, Mr. Mishra told that he was awarded a swag from DuckDuckGo.
This vulnerability was submitted to the browser security team via HackerOne on October 31st 2018 initially this bug was marked as high the discussion went till May 27th, 2019, and they concluded this ‘doesn’t seem to be a serious issue’ and marked the bug as informative, however I was awarded a swag from DuckDuckGo.
Dheeraj Mishra
Potential threats can spoof URL attacks by modifying the URL shown in the vulnerable web browser’s address bar to deceive their victims into trying to think that a trusted party controls the website they are currently scrolling.
Though, the site would actually be controlled by the malicious hackers functioning the attack, just as it would happen after the attackers exploited the researcher’s spoofing address bar bug in the Android DuckDuckGo Privacy Browser.
Thus, unaware victims can be redirected to domains masked as numerous high-profile sites that might actually allow attackers to steal the personal details of their targets and by using phishing web pages or by leaving malware on their computers through malvertising attack ads.
