The latest version 5.26.0 of the DuckDuckGo Privacy Browser for
Android which has over 5 million downloads is allowing hackers to execute URL
spoofing attacks by exploiting a spoofing flaw in the address bar.
The vulnerability which attacks the app users has been discovered by
the security researcher, Dhiraj Mishra, who immediately reported the flaw to
the concerned security department via the associated bug bounty program provided by the vulnerability
coordination and bug bounty platform, 'HackerOne'.
In a conversation with BleepingComputer, Dhiraj told, "this
vulnerability was submitted to the browser security team via HackerOne on
October 31st, 2018 initially this bug was marked as high the discussion went
till May 27th, 2019, and they concluded this 'doesn't seem to be a serious
issue' and marked the bug as informative, however, I was awarded a swag from
DuckDuckGo."
In the vulnerable DuckDuckGo Privacy Browser for Android, the attackers
execute this URL spoofing attack after altering the URL which is displayed onto the address bar of the infected web browser which is configured to trick
victims into believing that the website being browsed is monitored by an
authenticated source. However, in reality, the website would be controlled by
the attackers carrying out the spoofing attack.
There is a high probability of the oblivious users to be unknowingly
redirected to web addresses disguised as authenticated web portals which in
actuality would be assisting malicious actors in accumulating the data of their
potential victims either by phishing or by injecting malware into their systems
through malvertising campaigns.
Earlier, in May, Arif Khan, security researcher, on detecting a similar vulnerability in the UC browser said, "URL Address Bar spoofing is the worst
kind of phishing attack possible. Because it's the only way to identify the
site which the user is visiting,"