DuckDuckGo 7.64.4 Address Bar Spoofing

DuckDuckGo version 7.64.4 suffers from an address bar spoofing vulnerability.

MD5 | 424b48b941f4c2772ba6f7c44cb8ce00

#Vulnerability: Address Bar Spoofing Vulnerability
Product: DuckDuckGo
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 7.64.4
#Impact: Moderate
#Company: Cyber Citadel


DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"
vulnerability due to mishandling of javaScript's function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.

*Proof of Concept (POC)*

Following is the POC that could be used to reproduce the issue:

function spoof(){
document.body.innerHTML='This is not Google!';("This is not
<input type="button" value="Run"


The issue could be abused to carry out more effective phishing attacks
against it's users.

Related Posts