Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android

Vulnerability

Versions 19.0 and below of the F-Secure Internet Security Browser for Android on all supported platforms fail to display the complete URL, such as the port number, in the address bar [1], [2]. This allows a maliciously crafted website to present a spoofed address bar, making the browser appear to show a legitimate destination when it is actually visiting an attacker-controlled site [1], [2]. The issue was fixed in an automatic update released on April 13, 2022 [2].

Exploitation

An attacker must control a website that crafts a URL in a way that exploits the incomplete URL display, such as by omitting the port number [1], [2]. No network position or authentication is required beyond gaining a user visit to the malicious site. Successful exploitation involves the user observing the truncated address bar and being misled into believing the site is legitimate, thereby performing actions like entering credentials or other sensitive information [2].

Impact

A successful attack results in a phishing scenario where an attacker can spoof the address bar to impersonate a trusted website. This leads to unauthorized information disclosure if the user is tricked into providing credentials or other sensitive data [1], [2]. The impact is limited to user interaction, as no code execution or system compromise is achieved via this vulnerability [2].

Mitigation

The vulnerability is fixed in F-Secure Internet Security Browser for Android via an automatic update released on April 13, 2022 [2]. No user action is required; the fix is applied through the browser's normal update channel. Users should ensure their browser is updated to the latest version to remediate the issue [2]. No workaround is necessary as the patch is already available.