Hacker wins $5,000 for Chrome, Firefox address bar spoofing flaw

The "omnibox" vulnerability makes it easier to phish or steal user's data.
Written by Zack Whittaker, Contributor

(Image: file photo)

A vulnerability in how Chrome and versions of Firefox render website addresses could allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.

Rafay Baloch, a security researcher, won $5,000 in a combined bug bounty for finding the flaw.

In a blog post on Tuesday, he explained that the flaw could be used to trick users into supplying sensitive information to a malicious site, because the website appears to be legitimate in the browser's address box.

This address bar spoofing flaw works because some languages that display right-to-left, such as Arabic, are rendered differently. He explained that if you take a neutral right-to-left character (such as a forward slash), it can be used to flip a web address to also display right-to-left.

For example:ا/http://example.com would instead appear in the browser bar as http://example.com/‭ا/

That means anyone clicking on the link, which could be masked in a spam email or a tweet, would appear to be going to http://example.com but the site would display content from the IP address.

Baloch said that Chrome 53 and Firefox 48 for mobile will fix the issue. However, because the flaw exists in other browsers, he will refrain from disclosing the flaws as part of a responsible disclosure policy.

Google said the company was "aware of this issue," and said it will be fixed in all versions of Chrome in September.

Mozilla confirmed the flaw had also been fixed in its Android browser.

Editorial standards