URL Address Bar Spoofing in F-Secure SAFE Browser for iOS
Description
An URL Address bar spoofing vulnerability was discovered in Safe Browser for iOS. When user clicks on a specially crafted a malicious URL, if user does not carefully pay attention to url, user may be tricked to think content may be coming from a valid domain, while it comes from another. This is performed by using a very long username part of the url so that user cannot see the domain name. A remote attacker can leverage this to perform url address bar spoofing attack. The fix is, browser no longer shows the user name part in address bar.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Safe Browser for iOS fails to truncate a very long username in URLs, allowing a remote attacker to spoof the address bar and deceive users about the true domain.
Vulnerability
The URL address bar in F‑Secure SAFE Browser for iOS displayed the entire username portion of a URL, even when it is extremely long. By crafting a malicious URL with an excessively long username, an attacker could cause the domain name to scroll out of the visible address bar area. This spoofing vulnerability affects versions prior to the fix where the browser no longer shows the user name part in the address bar. The official description states that the fix was applied, but no exact patched version number is provided in the available references [1].
Exploitation
An attacker needs only to craft a malicious URL with a very long username component (e.g., http://[long-string]@attacker.com). When a user clicks on such a link, the address bar displays only the long username, and the actual domain (after the @ sign) is hidden. If the user does not carefully scrutinize the entire URL, they may believe they are visiting a legitimate domain that appears in the truncated visible portion. No authentication or special privileges are required beyond luring the user to click the link.
Impact
Successful exploitation allows the attacker to perform a URL address bar spoofing attack. The user is tricked into thinking the content originates from a valid domain while it actually comes from a different, potentially malicious, domain. This can lead to disclosure of sensitive information, such as credentials or personal data, if the user trusts the spoofed site. The attack compromises the integrity of the user's trust in the browser's address bar.
Mitigation
F‑Secure fixed the vulnerability by modifying Safe Browser for iOS to no longer display the username portion of a URL in the address bar. Users should ensure they are running the latest version of the browser. The reference advisory page [1] lists related advisories but does not disclose a specific patched version number for this CVE. If no update is available, users should carefully inspect the full URL before trusting content, especially on iOS devices.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: 18.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- www.f-secure.com/en/business/programs/vulnerability-reward-program/hall-of-famemitrex_refsource_MISC
- www.f-secure.com/en/business/support-and-downloads/security-advisoriesmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.