Rapid7 analysts and independent information security expert Rafay Baloch reports that seven popular mobile browsers allow malicious sites to change the URL and display a spoofed address in the address bar.
An attacker can modify the real URL with address bar spoofing and thus display a fake page instead of the legitimate one. Generally, this technique is used to impersonate well-known sites used by users. The victim is confident, they think they are actually entering the correct page, but they are actually exposing the data and become a victim of phishing attack.
Basically, the problem of address bar spoofing has been around for as long as the internet itself. And while modern desktop browsers have many security mechanisms that make it easy to detect a fake URL, mobile browsers cannot. The fact is that on mobile devices, screen size matters a lot, and therefore many security measures had to be neglected here. This would leave a window open for hackers to carry out their attacks.
As mentioned above, the researchers found that seven mobile browsers are vulnerable to such spoofing. These are Apple Safari, Opera Touch and Opera Mini, Bolt, RITS, UC Browser, and Yandex.Browser.
The vulnerabilities were identified this summer, and the researchers brought this problem to the attention of the browsers in August, and they have released updates to correct it.
Users who use any of these browsers on their mobile phones must have the latest version and if patches are still missing, use other, more secure applications.