Version 5.26.0 of DuckDuckGo Privacy Browser application on Android is found to be vulnerable according to security researcher Dhiraj Mishra, giving attackers the ability to run URL spoofing attacks. The flaw is being identified as CVE-2019-12329. A researcher who discovered the vulnerability provided a proof-of-concept in which he showed how he was able to reload a URL every 10 to 50 ms. He was able to accomplish this by spoofing the browser’s omnibar with assistance from a JavaScript page that takes advantage of the “setInterval” function. For attackers to implement this into their methods they would change the displayed URL and make it look like a legitimate domain, in reality, the site would be operated by an attacker. From there, user’s information could be stolen through efforts of phishing landing pages or malvertising campaigns. While the vulnerability was initially reported to DuckDuckGo on October 31st, 2018 and marked with high concern, investigations were completed by May 27th, 2019 and the seriousness of the matter was greatly reduced.
Analyst Notes
Users who are concerned about becoming victim to URL spoofing may want to implement a spoofing detection software. These types of programs scan and certify data as legitimate before it is transferred, allowing data that may be spoofed to be blocked. Cryptographic network protocols such as TLS, SSH, and HTTPS should also be used because it encrypts sent data and authenticates received data.
