Safari, Chrome hit by address bar spoofing bugs

Security researchers warn that it may make phishing far more effective.
Written by Zack Whittaker, Contributor
Although Android is now patched, Safari remains vulnerable to the spoofing flaw.
(Image: CNET/CBS Interactive)

Google has patched a bug in the Chrome browser on Android, which allowed an attacker to spoof a user into thinking they're accessing one website when they're actually visiting another.

Discovered in February by Rafay Baloch and disclosed Monday after it was fixed, the bug allowed the browser's address bar to be spoofed. That can be enough to convince a victim of a phishing email or text message to enter their usernames and passwords.

The bug was patched in early and then in later April. It affected Android 4.4 "KitKat" and Android 5.0 "Lollipop."

Rapid7, which detailed the flaw, said users should contact carriers or handset makers to ensure they received the patch.

But bad news for Apple, which now has to scramble to fix a similar flaw found in its Safari browser.

A proof-of-concept exploit was published Sunday that allows an attacker spoof the address bar in Safari on iPhones, iPads, and Macs. The exploit is far from perfect, as the browser can visibly be seen fighting the code to try to display the correct address.

It's not known if Apple, which did not immediately comment, is aware of the bug.

We reached out to the security researcher but did not hear back at the time of writing.

Editorial standards