Pakistani Hacker Awarded $5,000 for Finding Bug in Chrome and Firefox

Pakistani hacker, Rafay Baloch, has won a combined bug bounty of $5,000 after finding a flaw in how browsers use their omnibox address bars.

He found a vulnerability with the way Chrome and Firefox render website addresses, and how an attacker could potentially use it to trick users into visiting a phishing website.

In a blog post, he explained that the bug could be used to fool users into thinking that the website they are visiting is the real one, thereby making them reveal their sensitive information such as IDs and passwords to the scammers.

All Omnibox browsers could be used to trick users into phishing scams

Phishing attacks are those where the user is presented with a lookalike page to the original website. The page has the same looks and design and fools the user into entering their login details and other critical information. However usually, the website address gives away the true nature of a phishing website as it cannot be the same as the original website.

The address bar spoofing in browsers works by employing a right-to-left language, like Urdu, Arabic or Persian, and forcing the browser to render it differently. Rafay stated that when a neutral right-to-left character (such as forward slash or any other special character) is used, it can flip a web address to display it in the right-to-left direction.

For example, 127.0.0.1/ا/http://google.com would appear as a right to left as http://google.com/‭ا/127.0.0.1.

The user would think that they are visiting google.com. However, they would in reality be visiting the web page from the IP address 127.0.0.1. Such links could be hidden in spam email, tweets or shortened links.

The bug is yet to be fixed by most browsers

According to Rafay Baloch, the upcoming versions of Chrome 53 and Firefox 48 will fix this vulnerability. For the time being there isn’t much information regarding other browsers about a timeline regarding their fix for this vulnerability.

He is the Editor at ProPakistani.


  • Technical Usama

    Pakistan/India Main Hackers Ko CHOR Samjha Jata Hai Jabke Unki Life Hackers Ki Waja Se Hi Easy Hai….Hackers Na Hoty To Sab Ko Expensive Windows Buy Karni Parti..

    • MaliCk JD

      THE COMMENT HAS BEEN DISABLED

      • Taha Najam

        Rip English

  • Anonymous

    Rafay, one of my good friend :)

    • Khurram ShahzAd

      Hehe

  • great

  • The title totally misleads from the real story. The guy has found a universal bug in all browsers. That is huge, that is bigger then $5000

    • Shahid Saleem

      Not really, browsers can be configured to display full URL very easily. People will good opsec use that.

      • PANAIA JUNE

        Google chrome and firefox full url hi dikhate han, opera ni dikhata

        • Shahid Saleem

          Poor opera users boo hoo

  • Awais

    I’ve also found bug in facebook. So where can i get the money by reporting it with video proves?

    • Sheldon Cooper

      email the support team but don’t show video proof unless u get contact with the right person.

  • KMQ

    Yaar waise $5000 is nothing for the likes of chrome and firefox, bache ko loot lia. Itne kam main tarkhaa diya…

  • KMQ

    That’s right Pakistan Pride ke aage tu no amount would stand firm.

    Allah pak Pakistan ko qayamat tak qaim-o-daim aur shaad-o-aabad rakhe. Aaameen

    • MaliCk JD

      Ameeen !

  • imran nazir

    im looking for hacker can anyone help

  • imran nazir

    if there is good hacker out there contact me on [email protected] 5000$ is lose change you will make
    that in few days