Safari, Chrome hit by address bar spoofing bugs

Security researchers warn that it may make phishing far more effective.

Although Android is now patched, Safari remains vulnerable to the spoofing flaw. (Image: CNET/CBS Interactive)

Google has patched a bug in the Chrome browser on Android, which allowed an attacker to spoof a user into thinking they're accessing one website when they're actually visiting another.

How to reduce your mobile data usage

Mobile data is probably more of a commodity than anything else in our tech lives. Here are six ways to drastically reduce your monthly consumption.

Read More

Discovered in February by Rafay Baloch and disclosed Monday after it was fixed, the bug allowed the browser's address bar to be spoofed. That can be enough to convince a victim of a phishing email or text message to enter their usernames and passwords.

The bug was patched in early and then in later April. It affected Android 4.4 "KitKat" and Android 5.0 "Lollipop."

Rapid7, which detailed the flaw, said users should contact carriers or handset makers to ensure they received the patch.

But bad news for Apple, which now has to scramble to fix a similar flaw found in its Safari browser.

A proof-of-concept exploit was published Sunday that allows an attacker spoof the address bar in Safari on iPhones, iPads, and Macs. The exploit is far from perfect, as the browser can visibly be seen fighting the code to try to display the correct address.

It's not known if Apple, which did not immediately comment, is aware of the bug.

We reached out to the security researcher but did not hear back at the time of writing.