Pakistani Hacker Awarded $5,000 for Finding Bug in Chrome and Firefox

Pakistani hacker, Rafay Baloch, has won a combined bug bounty of $5,000 after finding a flaw in how browsers use their omnibox address bars.

He found a vulnerability with the way Chrome and Firefox render website addresses, and how an attacker could potentially use it to trick users into visiting a phishing website.

In a blog post, he explained that the bug could be used to fool users into thinking that the website they are visiting is the real one, thereby making them reveal their sensitive information such as IDs and passwords to the scammers.

All Omnibox browsers could be used to trick users into phishing scams

Phishing attacks are those where the user is presented with a lookalike page to the original website. The page has the same looks and design and fools the user into entering their login details and other critical information. However usually, the website address gives away the true nature of a phishing website as it cannot be the same as the original website.

The address bar spoofing in browsers works by employing a right-to-left language, like Urdu, Arabic or Persian, and forcing the browser to render it differently. Rafay stated that when a neutral right-to-left character (such as forward slash or any other special character) is used, it can flip a web address to display it in the right-to-left direction.

For example,ا/ would appear as a right to left as‭ا/

The user would think that they are visiting However, they would in reality be visiting the web page from the IP address Such links could be hidden in spam email, tweets or shortened links.

The bug is yet to be fixed by most browsers

According to Rafay Baloch, the upcoming versions of Chrome 53 and Firefox 48 will fix this vulnerability. For the time being there isn’t much information regarding other browsers about a timeline regarding their fix for this vulnerability.

He is the Editor at ProPakistani.