CVE-2022-38164
Description
A vulnerability affecting F-Secure SAFE browser for Android and iOS was discovered. A maliciously crafted website could make a phishing attack with URL spoofing as the browser only display certain part of the entire URL.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A URL spoofing vulnerability in F-Secure SAFE browser (Android/iOS) allows phishing via long subdomains, affecting versions 19.0 and below.
Vulnerability
A URL spoofing vulnerability exists in F-Secure SAFE browser for Android and iOS (also known as F-Secure Internet Security Browser) in versions 19.0 and below [2]. The browser truncates long subdomains in the address bar, causing only a portion of the URL to be displayed. This allows a maliciously crafted website to present a misleading URL that appears to belong to a trusted domain.
Exploitation
An attacker must host a website with an extremely long subdomain that, when visited, causes the browser's address bar to show only the latter part of the URL (e.g., the trusted domain) while the actual site is malicious. No authentication or special privileges are required; the victim only needs to visit the crafted URL.
Impact
Successful exploitation enables phishing attacks. The victim sees a spoofed URL and may believe they are on a legitimate site, potentially leading to disclosure of sensitive information such as credentials.
Mitigation
F-Secure has addressed this vulnerability in versions above 19.0. Users should update their browser to the latest version available [2]. No workaround is documented.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.