Abstract
A
study shows that more than 1.2 billion people use their mobile phones
for browsing over the internet which is increasing on daily basis. While
Address Bar Spoofing is one of the most serious issue in modern web
browsers.
In
this article we will discuss about address bar spoofing due to long address in mobile
web browsers. We will figure out how address bar spoofing in some android
based web browsers like chrome , firefox and opera is possible using few tactics. However purpose
of this paper is to demonstrate possibilities of spoofing address in mobile
web browsers by using long sub-domains.
Introduction
Address
bar spoofing is one of the most serious security issue in our web
browsers as Google states that “ We recognize that the address bar
is the only reliable security indicator in modern browsers ”.
Address bar spoofing could play a very important role in social
engineering could be utilized potentially where a spoofed address bar can allow attacker to show fake website either a phishing or any
information harvesting page , after it would be very easy for an
attacker to build some trust over the victim by displaying him a fake
URL / Domain which is pretending to be official.
In
past Rafay Baloch a security researcher from Pakistan discovered this
issue in almost all major web browsers , allowing him to spoof web
address by executing Arabic words in address bar because at that time
mobile web browser was forcing the those Arabic words over to the
right side of the web browser while displaying the folders on the
left due to the fact that it starts from the right side however in
case of English which starts from the left side.
Same thing happened recently this year when a security researcher named Xudong Zheng spoofed address bar by abusing domains with unicode characters.
Same thing happened recently this year when a security researcher named Xudong Zheng spoofed address bar by abusing domains with unicode characters.
1-
Proof of concept
A
sub domain is a part of the parent domain which is also called as the
root domain. As per policy the subdivision can goto unless it
reaches 127 and each of its part should not exceed 63 characters.
Our
mobile phone or smartphone width is small in case if we compare it
with desktop so it is obvious that screen size is also small while
size may differ as per comparison in case for web browsers. It is
obvious that size of the address bar would be justified as per size
of the mobile screen but in case if we compare it with desktop
version of web browsers omnibox size for address bar would be long.
Behavior
of the web browser
In
case if we input any sub domain in our web browser at the moment it
is intent to force the sub domain at the left side while pushing the
parent or root domain over to the right side along with sub folders
while no maximum length has been defined at the moment to handle the
abusive behavior.
Address
bar spoofing due to long sub-domain
Spoofing
address bar using a long sub-domain is possible on smartphones
because they have less width for the address bar as discussed above.
While we have also discussed behavior of web browser which will
force the parent domain at the right and sub-domain over to the left
side.
If
we create such a long sub-domain either single or a chain of
sub-domains in such a way that official address for the website is
forced over the right side as per behavior and its sub-domain on the
left side.
Following
the policy it was possible to create a chain of sub-domains for the
parent domain. Fact of the matter is that in this scenario we can
clearly show google.com a parent domain which would be actually a
sub-domain.
Example
for Google.com
|
We
have used a long sub-domain “
accountsession.google.com.securityfuse.com ” here
securityfuse.com is the parent domain but due vulnerable behavior we have
pushed it over to the right side while displaying google.com as a
parent or root domain to the user. Moreover we have used a sample
phishing page for the demonstration to elaborate a successful social
engineering attack.
Attacker can also redirect user to a web page configured mine user agent string and extract smartphone information and after extracting mobile information that script can forward user to web address of a specific length which is justified for the width of that mobile which makes it successful.
Same
proof of concept is applied on majority of web browsers while some of
them are listed below.
-
Google Chrome ( Android )
-
Android Web Browser
-
FireFox Web Browser ( Android )
-
Opera Web Browser ( Android )
-
UC Web Browser ( Android )
While
talking to Opera they stated
“ We
welcome you to bring discussion of this matter into a public forum so
that other vendors and interested parties can discuss it and come up
with solutions. Many vendors have previously rejected the possible
solution of marqueeing the domain name. Popup warnings are unlikely
to be an acceptable solution. Right aligning also cannot work, as it
simply shifts the problem to the other end of the address field, and
would still allow attackers to spoof long domain names ”~ Opera
Security Team
additionally i would like to mention that opera is not the only one to be affected.
additionally i would like to mention that opera is not the only one to be affected.
2-
Proof of concept
Another
trick which could be used to spoof address bar is spoofing it using
image. We can name it “ Image Based Address Bar Spoofing ”where
attacker can spoof address bar using image containing address bar of
targeted domain which needs to be replaced with the current address.
Behavior
of the web browser
While
using android based Google Chrome for browsing websites if we scroll down over the web page Chrome detects if
we tap the screen to scroll down and in case if we scroll down over
the web page , chrome would hide the address bar as per its behavior.
It makes a sense that we can utilize it for spoofing address bar.
Image
Based Address Bar Spoofing
We
have discussed behavior of the web browser which proves that in case
if we scroll down it would hide the address bar. Once address bar is
hidden we can use a cropped image of a fake address bar with targeted
address like accounts.google.com and place it is justified as per
condition. We can also use Javascripts and CSS to make this even more
successful.
With
the use of Javascript and CSS we can hide it as per condition and as
soon a normal user scrolls down over the web page we can detect it
using a JS and once address bar is completely hidden attacker can
automate this image to get itself displayed at the moment to replace
it with the current address which is hidden. Moreover using CSS if we
stick it over the top of the web page it would move like a normal
address bar which makes it difficult to detect for a normal user.
Results
& Conclusion
Such
type of techniques are very useful for attackers if performed
successfully. Social engineering attacks are dependent on such
tactics where attacker tries to exploit his/her trust. In case of
address bar spoofing i consider it one of the best medium to launch
attack on victim in reference to social engineering.
Time
has changed , majority of normal users are relying on smartphones.
Use of smartphone to browsing has largely increased over the past few
years if we compare it with desktop or laptops which shows a great
potential while Address bar spoofing in android is a major security
issue where an attacker can use it along with phishing scripts either
for spamming or any illegal purpose.
content provided on this page is the authority of Security Fuse and it is only for peaceful and educational purpose. Security Fuse is not responsible for any type of act caused by viewers after reading content from *.securityfuse.com. Republication without our permission is not allowed.
Keunggulan lainnya dari Firefox adalah program yang dibuat sangat cepat, stabil, mudah digunakan untuk pengguna rumahan serta aman dari gangguan iklan serta virus selain itu Firefox juga didistribusikan secara gratis dan bersifat open source artinya mudah dimodifikasi oleh komunitas atau pengembang. Search Bar Firefox 57 Quantum addon
ReplyDeleteAddress bar spoofing is one of the most serious security issue in web browsers as Google states.
ReplyDeleteTechnology News
A debt of gratitude is in order for setting aside an ideal opportunity to examine this, I feel unequivocally about it and adoration adapting more on this subject. On the off chance that conceivable, as you pick up aptitude, would you psyche overhauling your web journal with additional data? It is to a great degree accommodating for me. AppValley iOS 10
ReplyDeleteFascinating and stunning how your post is! It Is Useful and accommodating for me That I like it all that much, and I am anticipating Hearing from your next.. Emus4U iOS 11
ReplyDeleteAwesome things you've generally imparted to us. Simply continue written work this sort of posts.The time which was squandered in going for educational cost now it can be utilized for studies.Thanks NessTool Android
ReplyDeleteThis substance is composed extremely well. Your utilization of organizing when mentioning your focuses makes your objective facts clear and straightforward. Much obliged to you. Mojo Installer Download
ReplyDeleteNice Article, read now Haalim Episode 15 here.
ReplyDelete