An unpatched browser address bar spoofing vulnerability that affects popular Chinese UC Browser and UC Browser Mini apps for Android has been discovered by a Bug hunter .
What is a UC Browser?
UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than half a billion users worldwide.
According to the researcher Arif Khan ,the vulnerability resides in the way User Interface on both browsers handles a special built-in feature that was otherwise designed to improve users Google search experience.
The vulnerability, which has yet not assigned any CVE identifier, could allow an attacker to control URL string displayed in the address bar, eventually letting a malicious website to pose as some legitimate site.
What Version of the UC Browser is affected?
The vulnerability affects the latest UC Browser version 220.127.116.114 and UC Browser Mini version 18.104.22.1682 which is currently being used by over 500 million and 100 million users respectively, according to Google Play Store.
When users search something on “google.com” using UC Browsers, the browsers automatically remove the domain from the address bar and rewrite it only to display the search query string to the user.
Arif found that the pattern matching logic used by UC Browsers is insufficient and can be abused by attackers by simply creating subdomains on their own domain, as “www.google.com.phishing-site.com?q=www.facebook.com,” tricking browsers into thinking that the given site is “www.google.com” and the search query is “www.facebook.com.”
The URL Address Bar spoofing vulnerability can be used to easily trick UC Browser users into thinking they’re visiting a trusted website when actually being served with a phishing page, as shown in the video demonstration.
The Hacker News has independently verified the vulnerability and can confirm it works on the latest versions of both web browsers available at the time of writing.
What’s interesting? The researcher also mentioned that some old and other versions of UC Browser and UC Browser Mini are not affected by this URL Address Bar spoofing vulnerability, which suggests that a “new feature might have been added to this browser sometime back which is causing this issue.”