14 DAY TRIAL // Security researcher Rafay Baloch has discovered a simple way to defeat several browser security features and spoof URLs in the browser address bar using a very, very simple trick.
At the time of writing, Google and Mozilla have fixed the issue, but Baloch says that other vendors are still working on getting this corrected. The researcher also reveals he received a $5,000 reward from Google for his bug report.
Chrome handles mixed RTL-LTR links incorrectly
In a very simplistic explanation of the issue, the problem relies on how the browsers align URLs written with mixed RTL (Arabic) and LTR (Roman) characters.
According to Balock, several browsers get confused and end up switching parts of the URL, tricking the user into thinking they're accessing a different site than the one they're really on.
For example, in Chrome, this bug takes a URL in the form of 158.10.230.11/ا/http://google.com and switches it around the Arabic "ا" character like this: http://google.com/ا/158.10.230.11.
Flaw is terribly easy to weaponize
A hacker running a phishing site can take the server's IP, add one of few Arabic characters that trigger this behavior in the middle of the URL construction, and append the domain of a legitimate website at the end.
They can then embed this URL in spam email, SMS, or IM messages, and when the user clicks on it, they'll end up on a page that shows a URL starting with a valid domain, but in reality, they'd be on the crook's server.
"The IP address part can be easily hided [sic] specially on mobile browsers by selecting a long URL (google.com/fakepath/fakepath/fakepath/... /127.0.0.1) in order to make the attack look more realistic," Baloch explains.
Firefox affected as well
The same issue was present and fixed in Firefox (CVE-2016-5267), but with a slightly different exploitation scenario since Mozilla uses a different codebase from Google.
For Mozilla, the attackers had to use Arabic characters for the malicious URL, like this: http://عربي.امارات/google.com/test/test/test.
When accessing this link, the browser would display it in reverse as such: http://google.com/test/test/test/عربي.امارات/.
Users should update their browsers to the latest versions to avoid being exposed to this security bug.
