Version 5.26.0 of DuckDuckGo Privacy Browser application on Android is found to be vulnerable according to security researcher Dhiraj Mishra, giving attackers the ability to run URL spoofing attacks. The flaw is being identified as CVE-2019-12329. A researcher who discovered the vulnerability provided a proof-of-concept in which he showed how he was able to reload a URL every 10 to 50 ms. He was able to accomplish this by spoofing the browser’s omnibar with assistance from a JavaScript page that takes advantage of the “setInterval” function. For attackers to implement this into their methods they would change the displayed URL and make it look like a legitimate domain, in reality, the site would be operated by an attacker. From there, user’s information could be stolen through efforts of phishing landing pages or malvertising campaigns. While the vulnerability was initially reported to DuckDuckGo on October 31st, 2018 and marked with high concern, investigations were completed by May 27th, 2019 and the seriousness of the matter was greatly reduced.