Google patches Android Chrome address bar spoofing bug
The existence of another address bar spoofing bug has been revealed, and this one affects the Android Chrome browser.
“Due to a problem in handling 204 “No Content” responses combined with a window.open event, an attacker can cause the stock Chrome browser on Android to render HTML pages in a misleading context,” Rapid7’s Tod Beardsley explained.
“An attacker could use this vulnerability to convince a victim of a phishing e-mail, text, or link to enter private credentials to an untrusted page controlled by the attacker.”
The bug was discovered by independent researcher Rafay Baloch, and Google has been notified of it.
The Android security team has pushed out patches first for KitKat (4.4.x) and then for Lollipop (5.0.x) main distributions.
“Users are advised to contact their carriers to determine if they have received updated versions of these operating systems,” says Beardsley, and noted that if patches are unavailable, users should “avoid using the Chrome browser to perform authentication, especially when following links from untrusted or unverifiable sources until patches are available.”
Since the beginning of 2015, two address bar spoofing bugs have been uncovered by researcher David Leo. The first one, affecting Internet Explorer, in February, and the second one, affecting Safari, just a few days ago.