A Pakistani hacker has been awarded $5,000 by Google and Firefox for exposing a flaw in their web browsers.
The bug discovered by Rafay Baloch could allow attackers to use the address bar and divert users to malicious websites possibly tricking them into revealing sensitive information.
“Google security team themselves state that ‘We recognise that the address bar is the only reliable security indicator in modern browsers’ and if the only reliable security indicator could be controlled by an attacker it could carry adverse effects. For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is a legitimate website as the address bar points to the correct website,” Baloch wrote on his blog.
This feature can possibly be exploited by attackers by simply placing neutral characters like “/”, “ا” towards the end of a URL that flips it and gives the illusion that the user is visiting an official site. For example a site which has the logical order 127.0.0.1/ا/http://facebook.com will be displayed as http://facebook.com/ا/127.0.0.1. This gives the illusion that the user is visiting facebook.com while being shown data from 127.0.0.1.
“The IP address part can be easily [hidden] especially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic,” Baloch wrote. “In order to make the attack more realistic, a unicode version of padlock can be used in order to demonstrate the presence of SSL.”
Browsers vulnerable to such an attack include Google Chrome and Firefox among others. “Seventy per cent of all mobile traffic is affected by this bug,” he added.
Speaking to The Express Tribune, Baloch revealed he received $3,000 from Google, $1,000 from Firefox and another $1,000 in reward from an undisclosed browser for finding the bug.
Baloch is an accomplished hacker who also discovered Code Execution/Command Execution vulnerabilities on a sub-domain of Paypal for which he was paid $10,000 under their Bug Bounty programme.