The security expert Rafay Baloch found a an extremely easy way to overcome the security features of several browsers and spoof the browser`s URL address.
Even though Mozilla and Google have already taken care of this problem, according to Baloch, many other vendors are still struggling fixing it. Google also rewarded the researcher with $5,000 for finding and reporting this flaw.
The issue origins from the way how browsers align URLs written with mixed RTL (Arabic) and LTR (Roman) characters. Baloch thinks that some browsers get confused and switch some URL parts, misleading the user to think they`re loading a different webpage that the one they are actually on.
In the Google Chrome browser, for instance, this flaw takes the following URL: 184.108.40.206/ا/http://google.com and changes the parts` places around the Arabic “ا” character resulting in http://google.com/ا/220.127.116.11.
According to Baloch it would be a piece of cake for cybercriminals to leverage this bug. A hacker, who is running a phishing website, could easily add one Arabic character, which causes the shift, in the middle on the URL and put a legitimate website`s domain in the end of it. Then, when they spread this URL via spam attachments, SMS or IM messages, when a user clicks on it they would end up on the hacker`s server. The URL starting with a legitimate domain would trick them into thinking that they are on a valid page, but in fact, they would be on the crook`s page.
“The IP address part can be easily hided [sic] specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/… /127.0.0.1) in order to make the attack look more realistic.” Baloch explains.
Mozilla`s Firefox (CVE-2016-5267) was also affected by the bug. Now, the problem is fixed but with the usage of a different method since the Mozilla`s codebase is different from the Google`s.
For Mozilla, the crooks had to use different Arabic characters for creating the malicious URL, like this: http://عربي.امارات/google.com/test/test/test. When accessing this link, the browser would display it in reverse in the following way: http://google.com/test/test/test/عربي.امارات/.
All users are strongly advised to install the newest versions of their browsers to protect themselves from the security flaw.