CVE-2022-38163

Vulnerability

A drag-and-drop spoofing vulnerability exists in F-Secure SAFE Browser (Internet Security Browser) for Android and iOS versions 19.0 and below [2][3]. The vulnerability can be triggered by a user performing a drag-and-drop operation on the address bar, which may cause the displayed address bar content to be spoofed [3]. This issue was reported through F-Secure's Vulnerability Reward Program [3].

Exploitation

To exploit this vulnerability, an attacker would need to trick the user into performing a drag-and-drop interaction on the address bar [3]. No authentication or special network position is required beyond the ability to present a web page that induces the user to perform the drag-and-drop action. The exact sequence of steps to trigger the spoof is not detailed in the available references, but it involves user interaction with the browser's address bar [2][3].

Impact

Successful exploitation allows an attacker to spoof the address bar, potentially misleading the user about the true origin of the page being visited [3]. This spoofing could lead to the disclosure of sensitive information (e.g., credentials) if the user is tricked into interacting with a fraudulent page thinking it is a legitimate site. The impact is limited to spoofing of the address bar; no code execution or privilege escalation is indicated [3].

Mitigation

The vulnerability has been fixed in F-Secure Internet Security Browser version 19.2, which was released to the automatic update channel on 25 October 2022 [3]. No user action is required, as the update is delivered automatically [3]. Users should ensure their browser is updated to version 19.2 or later to mitigate the risk [3].