Firewall Firm is a Managed Cyber Security Company in India
Home » Cyber Security News » Latest versions of UC Browser and UC Browser Mini Android apps vulnerable to URL spoofing attacks

Latest versions of UC Browser and UC Browser Mini Android apps vulnerable to URL spoofing attacks

  • These browsers have over 600 million installs across the world.
  • The flaw affects UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192.

The latest versions of UC Browser and UC Browser Mini Android apps have been found to be vulnerable to URL spoofing attacks. These browsers have over 600 million installs across the world.

What is URL spoofing attack?

URL spoofing is an attack that allows an attacker to change to URL displayed in the address bar of a web browser. By spoofing the URL, the attacker tricks the users into thinking that they are visiting a website controlled by a trusted party.

How is UC Browser impacted?

Discovered by a security researcher named Arif Khan, the flaw affects UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192. These versions have over 500 million and 100 million installs respectively on the Google PlayStore.

“This vulnerability allows any attacker to pose (his phishing domain) as the targeted site, for example, a domain blogspot.com can pretend to be facebook.com, by simply making a user visit www[.]google[.]com[.]blogspot.com/?q=www[.]facebook.com,” said Arif in a blog post.

Where does the issue lie?

Researcher Arif explained that the issue is because of regex checks in some mobile browsers. The browser’s regex only check if the URL begins with a string like www[.]google[.]com, instead of checking the complete URL. This allows attackers to leverage this behavior and spoof the URL.

“The fact that their regex rules just match the URL string, or, the URL any user is trying to visit a whitelist pattern but only check if the URL begins with a string like www.google.com can enable an attacker to bypass this regex check by simply using a subdomain on his domain like www.google.com.blogspot.com and attach the target domain name (which he wants to pose as) to the query portion of this subdomain like ?q=www.facebook.com,” Arif noted.

The CVE number for the issue has not yet been assigned. The firm has also been informed about the issue.