A bug hunter has discovered and publicly disclosed details of an unpatched browser address bar spoofing vulnerability that affects popular Chinese UC Browser and UC Browser Mini apps for Android.
Developed by Alibaba-owned UCWeb, UC Browser is one of the most popular mobile browsers, specifically in China and India, with a massive user base of more than half a billion users worldwide.
According to the details security researcher Arif Khan shared with The Hacker News, the vulnerability resides in the way User Interface on both browsers handles a special built-in feature that was otherwise designed to improve users Google search experience.
The vulnerability, which has yet not assigned any CVE identifier, could allow an attacker to control URL string displayed in the address bar, eventually letting a malicious website to pose as some legitimate site.
The vulnerability affects the latest UC Browser version 188.8.131.524 and UC Browser Mini version 184.108.40.2062—that is currently being used by over 500 million and 100 million users respectively, according to Google Play Store.
Though the flaw is similar to the one Khan discovered last month in the MI browser that comes pre-installed on Xiaomi smartphones and the Mint browser, phishing pages served using the newly discovered vulnerability in UC Browser still leaves some indicators that vigilant users can spot.
When users search something on “google.com” using UC Browsers, the browsers automatically remove the domain from the address bar and rewrite it only to display the search query string to the user.
images from Hacker News