CVE-2022-47524

Vulnerability

F-Secure SAFE Browser 19.1 and earlier for Android is vulnerable to an IDN homograph attack. The browser fails to properly display internationalized domain names (IDNs) in messages containing malicious URLs, allowing an attacker to create domain names that visually mimic legitimate ones using characters from different scripts [1]. This vulnerability affects versions 19.1 and below of the F-Secure SAFE Browser for Android [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious URL that uses homograph characters (for example, a Cyrillic letter indistinguishable from a Latin letter) to impersonate a trusted domain. The attacker must then induce the user to view a message containing this URL within the vulnerable browser. No special network position or authentication is required beyond the ability to deliver a message to the user [1].

Impact

If an attacker successfully tricks a user into believing they are visiting a legitimate website, the user may be directed to a malicious homograph domain. This could lead to disclosure of sensitive information or further compromise, depending on the attacker's site content, although no such exploit has been observed in the wild [1].

Mitigation

The vulnerability is fixed in version 19.2, which was automatically pushed to users on 22 December 2022. No user action is required to receive the update. There is no known workaround for unpatched versions [1].