DuckDuckGo Android Browser Vulnerable to URL Spoofing Attacks

The open source DuckDuckGo Privacy Browser for Android version 5.26.0 with more than 5 million installs makes it possible for potential attackers to launch URL spoofing attacks targeting the app's users by exploiting an address bar spoofing vulnerability.

Security researcher Dhiraj Mishra found the flaw tracked as CVE-2019-12329 and reported it to the apps' security team through their bug bounty program on the HackerOne bug bounty and vulnerability coordination platform.

The researcher states that the proof-of-concept he devised works by spoofing DuckDuckGo Privacy Browser's omnibar with the help of a specially crafted JavaScript page which makes use of the setInterval function to reload an URL every 10 to 50 ms.

While the real duckduckgo.com website is automatically loaded every 50 ms, the inner HTML is modified to display entirely different content as explained in Mishra's blog post.

As the researcher told BleepingComputer, "this vulnerability was submitted to the browser security team via HackerOne on October 31st 2018 initially this bug was marked as high the discussion went till May 27th, 2019, and they concluded this 'doesn't seem to be a serious issue' and marked the bug as informative, however I was awarded a swag from DuckDuckGo."

Potential attackers can perform URL spoofing attacks by changing the URL displayed in the address bar of the vulnerable web browser to trick their victims into thinking that the website they're currently browsing is controlled by a trusted party.

However, the site will actually be under the control of the malicious actors operating the attack, just like it would happen after the attackers would abuse the address bar spoofing flaw unearthed by Mishra in the DuckDuckGo Privacy Browser for Android.

Unaware victims can thus be redirected to domains camouflaged as various high-profile websites that would actually enable the attackers to steal their targets' info either by using phishing landing pages or by dropping malware on their computers via malvertising campaigns.

During early-May, security researcher Arif Khan also found that the UC Browser and UC Browser Mini Android apps with over 600 million installs in total were exposing their users to URL spoofing attacks.

"URL Address Bar spoofing is the worst kind of phishing attack possible. Because it's the only way to identify the site which the user is visiting," as Khan said at the time.