CVE-2018-12448

Vulnerability

Whale Browser before version 1.3.48.4 fails to display any URL information in the address bar when the user visits a non-HTTP page (e.g., ftp:, file:, or custom protocol handlers). Instead, only the page title is shown. This allows an attacker to craft a malicious page that, when opened via such a protocol, impersonates a legitimate domain name [1].

Exploitation

An attacker must first lure the user to a non-HTTP resource, for example by embedding a link in an email or on a legitimate-looking website, or by using a redirect from an HTTP page. Once the user clicks the link or is navigated to the malicious non-HTTP page, the address bar shows only the page's title. The attacker can set the title to any desired fake domain name, thereby spoofing the origin of the page [1].

Impact

An attacker can display a malicious web page that appears to belong to a trusted domain, leading to possible phishing, credential theft, or the execution of attacker-controlled content under a false identity. The user has no visible URL indication to verify the actual source [1].

Mitigation

The vulnerability is fixed in Whale Browser version 1.3.48.4 and later. Users should update their browser to the latest available version. No workaround is available for unpatched versions. The advisory credits YongShao (Zhiyong Feng) for reporting the issue [1].