Pakistani Hacker Awarded $5,000 for Finding Bug in Chrome and Firefox

Pakistani hacker, Rafay Baloch, has won a combined bug bounty of $5,000 after finding a flaw in how browsers use their omnibox address bars.

He found a vulnerability with the way Chrome and Firefox render website addresses, and how an attacker could potentially use it to trick users into visiting a phishing website.

In a blog post, he explained that the bug could be used to fool users into thinking that the website they are visiting is the real one, thereby making them reveal their sensitive information such as IDs and passwords to the scammers.

All Omnibox browsers could be used to trick users into phishing scams

Phishing attacks are those where the user is presented with a lookalike page to the original website. The page has the same looks and design and fools the user into entering their login details and other critical information. However usually, the website address gives away the true nature of a phishing website as it cannot be the same as the original website.

The address bar spoofing in browsers works by employing a right-to-left language, like Urdu, Arabic or Persian, and forcing the browser to render it differently. Rafay stated that when a neutral right-to-left character (such as forward slash or any other special character) is used, it can flip a web address to display it in the right-to-left direction.

For example, 127.0.0.1/ا/http://google.com would appear as a right to left as http://google.com/‭ا/127.0.0.1.

The user would think that they are visiting google.com. However, they would in reality be visiting the web page from the IP address 127.0.0.1. Such links could be hidden in spam email, tweets or shortened links.

The bug is yet to be fixed by most browsers

According to Rafay Baloch, the upcoming versions of Chrome 53 and Firefox 48 will fix this vulnerability. For the time being there isn’t much information regarding other browsers about a timeline regarding their fix for this vulnerability.

He is the Editor-in-Chief at ProPakistani. Reach out at aadil.s[at]propakistani.pk


  • Pakistan/India Main Hackers Ko CHOR Samjha Jata Hai Jabke Unki Life Hackers Ki Waja Se Hi Easy Hai….Hackers Na Hoty To Sab Ko Expensive Windows Buy Karni Parti..

    • email the support team but don’t show video proof unless u get contact with the right person.

  • That’s right Pakistan Pride ke aage tu no amount would stand firm.

    Allah pak Pakistan ko qayamat tak qaim-o-daim aur shaad-o-aabad rakhe. Aaameen

  • Ltd feature videos

    Watch more at LTD

    close
    >