Pakistani hacker, Rafay Baloch, has won a combined bug bounty of $5,000 after finding a flaw in how browsers use their omnibox address bars.
He found a vulnerability with the way Chrome and Firefox render website addresses, and how an attacker could potentially use it to trick users into visiting a phishing website.
In a blog post, he explained that the bug could be used to fool users into thinking that the website they are visiting is the real one, thereby making them reveal their sensitive information such as IDs and passwords to the scammers.
All Omnibox browsers could be used to trick users into phishing scams
Phishing attacks are those where the user is presented with a lookalike page to the original website. The page has the same looks and design and fools the user into entering their login details and other critical information. However usually, the website address gives away the true nature of a phishing website as it cannot be the same as the original website.
The address bar spoofing in browsers works by employing a right-to-left language, like Urdu, Arabic or Persian, and forcing the browser to render it differently. Rafay stated that when a neutral right-to-left character (such as forward slash or any other special character) is used, it can flip a web address to display it in the right-to-left direction.
For example, 127.0.0.1/ا/http://google.com would appear as a right to left as http://google.com/ا/127.0.0.1.
The user would think that they are visiting google.com. However, they would in reality be visiting the web page from the IP address 127.0.0.1. Such links could be hidden in spam email, tweets or shortened links.
The bug is yet to be fixed by most browsers
According to Rafay Baloch, the upcoming versions of Chrome 53 and Firefox 48 will fix this vulnerability. For the time being there isn’t much information regarding other browsers about a timeline regarding their fix for this vulnerability.
Pakistan/India Main Hackers Ko CHOR Samjha Jata Hai Jabke Unki Life Hackers Ki Waja Se Hi Easy Hai….Hackers Na Hoty To Sab Ko Expensive Windows Buy Karni Parti..
THE COMMENT HAS BEEN DISABLED
Rip English
Rafay, one of my good friend :)
Hehe
great
The title totally misleads from the real story. The guy has found a universal bug in all browsers. That is huge, that is bigger then $5000
Not really, browsers can be configured to display full URL very easily. People will good opsec use that.
Google chrome and firefox full url hi dikhate han, opera ni dikhata
Poor opera users boo hoo
I’ve also found bug in facebook. So where can i get the money by reporting it with video proves?
email the support team but don’t show video proof unless u get contact with the right person.
Yaar waise $5000 is nothing for the likes of chrome and firefox, bache ko loot lia. Itne kam main tarkhaa diya…
That’s right Pakistan Pride ke aage tu no amount would stand firm.
Allah pak Pakistan ko qayamat tak qaim-o-daim aur shaad-o-aabad rakhe. Aaameen
Ameeen !
im looking for hacker can anyone help
if there is good hacker out there contact me on [email protected] 5000$ is lose change you will make
that in few days