Rafay Baloch, a world renowned security researcher and ethical hacker from Pakistan has found an address bar spoofing flaw in Google and Mozilla Firefox ─ two most popular internet browsers.
This vulnerability comes in play when Chrome and Firefox render website addresses and it could allow the hackers to trick users into visiting a fake website that appears to be legitimate.
This vulnerability exists because some languages such as Urdu, Arabic, Persian and Hebrew are displayed right to left and are rendered differently. Rafay Explained in his blog post that by placing neutral characters such as “/”, “ا” in filepath causes the URL to be flipped and displayed from Right To Left.
So 127.0.0.1/ا/http://example.com would instead appear in the browser bar as http://example.com/ا/127.0.0.1 and if you click on it the fake website will be loaded but you’ll think of it as legitimate.
Google and Mozilla both have fixed this issue in the latest version of the browsers, however anyone using the older version or some other browsers may become the victim of this vulnerability.
Rafay pointed out in his blog post that variation of similar vulnerability has also been discovered in several other browsers that are still undergoing a fix but refrained from disclosing the flaws as part of a responsible disclosure policy.
Rafay gets a Handsome Bounty Reward
He also got a sum of $5000 as reward for finding and reporting these critical flaws in browser security as well as acclamation from security experts around the world.