Address Bar Spoofing Vulnerability in F-Secure SAFE Browser for Android

Vulnerability

A vulnerability in F-Secure SAFE browser allows address bar spoofing. When navigation fails in a loop, the address bar does not update correctly, enabling a malicious website to display a fake URL. Affected versions include the SAFE browser; specific version details are not disclosed in the available references [1].

Exploitation

An attacker needs to host a malicious website that triggers a navigation loop. The user must visit the crafted site; no additional authentication or privileges are required. The loop causes the address bar to display an incorrect (spoofed) URL.

Impact

Successful exploitation enables the attacker to perform a phishing attack. The user sees a fraudulent URL in the address bar, potentially leading to disclosure of sensitive information. The impact is limited to UI spoofing; no code execution or data theft beyond user interaction is indicated.

Mitigation

As of the publication date (2022-05-12), no fixed version is specified in the references. Users should refer to F-Secure's security advisories [1] for updates. Until a patch is available, caution is advised when visiting untrusted websites.