According to Rafay Baloch, a cybersecurity researcher, the address bar spoofing vulnerabilities affects multiple mobile browsers, including Apple Safari, Opera Touch, Yandex Browser, UCWeb, Bolt Browser, and RITS Browser, which flaw leaves the door open for spear-phishing and malware attacks.
While UCWeb and Bolt are yet to release patches for their respective browsers, Opera is expected to release a fix for Opera Touch on November 11, 2020.
How the Address Bar Spoofing Vulnerabilities Affects Multiple Mobile Browsers?
And the vulnerability in Safari occurs due to the browser's preserving of address bar of the URL when requested over an arbitrary port, with the set interval function reloading bing.com:8080 every 2 milliseconds; hence users are unable to recognize the redirection from original URL to the spoofed URL.
Similar issues have also been found in several other major browsers, and once the coordinated disclosure timeline has elapsed, they will be made public. However, what makes the Safari vulnerability more pronounce is that the browser by default doesn't reveal port number in URL unless focus is set via cursor.
How Web users can stay safe from such Address Bar Spoofing Vulnerabilities
It is now pretty easy to coax users into disclosing their personal information which hackers steal and use in distributing malware with the address bar seemingly pointing to a trusted website and giving no indicator of forgery, which exploits a specific flaw in the browser, to evade several anti-phishing solutions.
Therefore, web users are enjoined to always look out for browser-based vulnerabilities such as the address bar spoofing which may exacerbate the success of spear-phishing attacks and hence, could prove to be more dangerous.