Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android

Vulnerability

F-Secure SAFE Browser for Android versions 18.6 and below [1] contain a vulnerability where the address bar fails to update when navigation to a new URL fails [2]. This allows a maliciously crafted website to control the displayed URL even after the browser fails to load a new page, effectively spoofing the address bar [1][2]. The issue is present in the F‑Secure Internet Security Browser for Android (also referred to as SAFE Browser in the advisory context) [1][2].

Exploitation

An attacker needs to host a malicious website and lure a victim using an affected F-Secure SAFE Browser to visit it [1][2]. The attack sequence involves causing the browser navigation to a seemingly legitimate URL to fail, after which the address bar retains the originally displayed (spoofed) URL while the actual content may be attacker-controlled or a phishing page [2]. The user does not need to interact beyond visiting the malicious site; no special privileges or network position beyond public web hosting is required.

Impact

Successful exploitation enables a phishing attack where the victim sees a trusted URL in the address bar while the displayed page content is controlled by the attacker [1][2]. This can lead to credential theft or other sensitive information disclosure, as the user believes they are interacting with a legitimate site. The impact is limited to address bar spoofing; no code execution or direct data exfiltration beyond user deception is reported.

Mitigation

F-Secure released a fix via automatic update channel on April 13, 2022 [2]. Users running F-Secure Internet Security Browser for Android version 18.6 or below are automatically patched and no manual action is required [2]. No known exploits in the wild have been reported, and the vulnerability was disclosed through F-Secure's Vulnerability Reward Program [2].