Android address bar spoofing due to OmniBox



Abstract

A study shows that more than 1.2 billion people use their mobile phones for browsing over the internet which is increasing on daily basis. While Address Bar Spoofing is one of the most serious issue in modern web browsers.

In this article we will discuss about address bar spoofing due to long address in mobile web browsers. We will figure out how address bar spoofing in some android based web browsers like chrome , firefox and opera is possible using few tactics. However purpose of this paper is to demonstrate possibilities of spoofing address in mobile web browsers by using long sub-domains.

Introduction

Address bar spoofing is one of the most serious security issue in our web browsers as Google states that “ We recognize that the address bar is the only reliable security indicator in modern browsers ”. Address bar spoofing could play a very important role in social engineering could be utilized potentially where a spoofed address bar can allow attacker to show fake website either a phishing or any information harvesting page , after it would be very easy for an attacker to build some trust over the victim by displaying him a fake URL / Domain which is pretending to be official.

In past Rafay Baloch a security researcher from Pakistan discovered this issue in almost all major web browsers , allowing him to spoof web address by executing Arabic words in address bar because at that time mobile web browser was forcing the those Arabic words over to the right side of the web browser while displaying the folders on the left due to the fact that it starts from the right side however in case of English which starts from the left side. 




Same thing happened recently this year when a security researcher named Xudong Zheng spoofed address bar by abusing domains with unicode characters.


1- Proof of concept

A sub domain is a part of the parent domain which is also called as the root domain. As per policy the subdivision can goto unless it reaches 127 and each of its part should not exceed 63 characters.

Our mobile phone or smartphone width is small in case if we compare it with desktop so it is obvious that screen size is also small while size may differ as per comparison in case for web browsers. It is obvious that size of the address bar would be justified as per size of the mobile screen but in case if we compare it with desktop version of web browsers omnibox size for address bar would be long.

Behavior of the web browser

In case if we input any sub domain in our web browser at the moment it is intent to force the sub domain at the left side while pushing the parent or root domain over to the right side along with sub folders while no maximum length has been defined at the moment to handle the abusive behavior.

Address bar spoofing due to long sub-domain

Spoofing address bar using a long sub-domain is possible on smartphones because they have less width for the address bar as discussed above. While we have also discussed behavior of web browser which will force the parent domain at the right and sub-domain over to the left side.

If we create such a long sub-domain either single or a chain of sub-domains in such a way that official address for the website is forced over the right side as per behavior and its sub-domain on the left side.

Following the policy it was possible to create a chain of sub-domains for the parent domain. Fact of the matter is that in this scenario we can clearly show google.com a parent domain which would be actually a sub-domain.


Example for Google.com
Malicious Website ( PARENT DOMAIN )
Malicious Website ( SUB-DOMAIN )
securityfuse.com
accountssession.google.com.securityfuse.com




We have used a long sub-domain “ accountsession.google.com.securityfuse.com ” here securityfuse.com is the parent domain but due vulnerable behavior we have pushed it over to the right side while displaying google.com as a parent or root domain to the user. Moreover we have used a sample phishing page for the demonstration to elaborate a successful social engineering attack.

Attacker can also redirect user to a web page configured mine user agent string and extract smartphone information and after extracting mobile information that script can forward user to web address of a specific length which is justified for the width of that mobile which makes it successful.

Same proof of concept is applied on majority of web browsers while some of them are listed below.
  • Google Chrome ( Android )
  • Android Web Browser
  • FireFox Web Browser ( Android )
  • Opera Web Browser ( Android )
  • UC Web Browser ( Android )


While talking to Opera they stated

We welcome you to bring discussion of this matter into a public forum so that other vendors and interested parties can discuss it and come up with solutions. Many vendors have previously rejected the possible solution of marqueeing the domain name. Popup warnings are unlikely to be an acceptable solution. Right aligning also cannot work, as it simply shifts the problem to the other end of the address field, and would still allow attackers to spoof long domain names ”~ Opera Security Team

additionally i would like to mention that opera is not the only one to be affected.

2- Proof of concept

Another trick which could be used to spoof address bar is spoofing it using image. We can name it “ Image Based Address Bar Spoofing ”where attacker can spoof address bar using image containing address bar of targeted domain which needs to be replaced with the current address.

Behavior of the web browser

While using android based Google Chrome for browsing websites if we scroll down over the web page Chrome detects if we tap the screen to scroll down and in case if we scroll down over the web page , chrome would hide the address bar as per its behavior. It makes a sense that we can utilize it for spoofing address bar.

Image Based Address Bar Spoofing

We have discussed behavior of the web browser which proves that in case if we scroll down it would hide the address bar. Once address bar is hidden we can use a cropped image of a fake address bar with targeted address like accounts.google.com and place it is justified as per condition. We can also use Javascripts and CSS to make this even more successful.



With the use of Javascript and CSS we can hide it as per condition and as soon a normal user scrolls down over the web page we can detect it using a JS and once address bar is completely hidden attacker can automate this image to get itself displayed at the moment to replace it with the current address which is hidden. Moreover using CSS if we stick it over the top of the web page it would move like a normal address bar which makes it difficult to detect for a normal user.


Results & Conclusion

Such type of techniques are very useful for attackers if performed successfully. Social engineering attacks are dependent on such tactics where attacker tries to exploit his/her trust. In case of address bar spoofing i consider it one of the best medium to launch attack on victim in reference to social engineering.

Time has changed , majority of normal users are relying on smartphones. Use of smartphone to browsing has largely increased over the past few years if we compare it with desktop or laptops which shows a great potential while Address bar spoofing in android is a major security issue where an attacker can use it along with phishing scripts either for spamming or any illegal purpose.


content provided on this page is the authority of Security Fuse and it is only for peaceful and educational purpose. Security Fuse is not responsible for any type of act caused by viewers after reading content from *.securityfuse.com. Republication without our permission is not allowed.
Share on Google Plus

About Ahmed Mehtab

Ahmed Mehtab is a white hat cyber security researcher , speaker , trainer and blogger at security fuse. He loves to research on cyber security issues , cyber crime and hacktivism. Quote " Being a hacker without having knowledge of programming is just like a knife without sharpness ~ Ahmed Mehtab "

1 comments :

  1. Keunggulan lainnya dari Firefox adalah program yang dibuat sangat cepat, stabil, mudah digunakan untuk pengguna rumahan serta aman dari gangguan iklan serta virus selain itu Firefox juga didistribusikan secara gratis dan bersifat open source artinya mudah dimodifikasi oleh komunitas atau pengembang. Search Bar Firefox 57 Quantum addon

    ReplyDelete

Hi , Please take a minute to say somthing about this post