Taking too long? Close loading screen.
Connect with us

Tech

Apple, Opera, and Yandex fix browser address bar spoofing bugs, but millions more still left vulnerable

Published

on

Year after year, phishing remains one of the most popular and effective ways for attackers to steal your passwords. As users, we’re mostly trained to spot the telltale signs of a phishing site, but most of us rely on carefully examining the web address in the browser’s address bar to make sure the site is legitimate.

But even the browser’s anti-phishing features — often the last line of defense for a would-be phishing victim — aren’t perfect.

Security researcher Rafay Baloch found several vulnerabilities in some of the most widely used mobile browsers — including Apple’s Safari, Opera, and Yandex — which if exploited would allow an attacker to trick the browser into displaying a different web address than the actual website that the user is on. These address bar spoofing bugs make it far easier for attackers to make their phishing pages look like legitimate websites, creating the perfect conditions for someone trying to steal passwords.

The bugs worked by exploiting a weakness in the time it takes for a vulnerable browser to load a web page. Once a victim is tricked into opening a link from a phishing email or text message, the malicious web page uses code hidden on the page to effectively replace the malicious web address in the browser’s address bar to any other web address that the attacker chooses.

In at least one case, the vulnerable browser retained the green padlock icon, indicating that the malicious web page with a spoofed web address was legitimate — when it wasn’t.

An address bar spoofing bug in Opera Touch for iOS (left) and Bolt Browser (right). These spoofing bugs can make phishing emails look far more convincing. (Image: Rapid7/supplied)

Rapid7’s research director Tod Beardsley, who helped Baloch with disclosing the vulnerabilities to each browser maker, said address bar spoofing attacks put mobile users at particular risk.

“On mobile, space is at an absolute premium, so every fraction of an inch counts. As a result, there’s not a lot of space available for security signals and sigils,” Beardsley told TechCrunch. “While on a desktop browser, you can either look at the link you’re on, mouse over a link to see where you’re going, or even click on the lock to get certificate details. These extra sources don’t really exist on mobile, so the location bar not only tells the user what site they’re on, it’s expected to tell the user this unambiguously and with certainty. If you’re on palpay.com instead of the expected paypal.com, you could notice this and know you’re on a fake site before you type in your password.”

“Spoofing attacks like this make the location bar ambiguous, and thus, allow an attacker to generate some credence and trustworthiness to their fake site,” he said.

Baloch and Beardsley said the browser makers responded with mixed results.

So far, only Apple and Yandex pushed out fixes in September and October. Opera spokesperson Julia Szyndzielorz said the fixes for its Opera Touch and Opera Mini browsers are “in gradual rollout.”

But the makers of UC Browser, Bolt Browser, and RITS Browser — which collectively have more than 600 million device installs — did not respond to the researchers and left the vulnerabilities unpatched.

TechCrunch reached out to each browser maker but none provided a statement by the time of publication.

Source

Continue Reading
Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Tech

Conquer Your Pup’s Dander and Fur With $700 Off a Cobalt or Charcoal Bobsweep PetHair Plus Robot Vacuum

Published

on

Best Home DealsBest Home DealsThe best home, kitchen, smart home, and automotive deals from around the web, updated daily.

Bobsweep PetHair Plus Robot Vacuum & Mop (Cobalt) | $200 | Best Buy

Bobsweep PetHair Plus Robot Vacuum & Mop (Charcoal) | $200 | Best Buy

Allergies can be bad enough as the seasons change. Don’t let pet hair and dander add to that by vacuuming it up early and often. That chore is easier said than done— unless you have a robot vacuum to do the work for you. This lovely bright cobalt Bobsweep PetHair Plus robot vacuum and mop, only $200 today at Best Buy seems like an ideal option. That’s a whopping $700 off, by the way.

Advertisement

You can get the same deal for the charcoal version of the robot vac, too. This model is not only specially made for picking up pet hair, it self docks and charges when it’s finished with the work.

It also comes with a mop attachment, so it can take care of those kitchen floors for you as well. Grab it while it’s still available for this fantastic price!

Advertisement


Source

Continue Reading

Tech

Apple will replace AirPods Pro for free with faulty noise cancellation, static or crackling

Published

on

Today, exactly one year after Apple first launched the AirPods Pro — and thus the same day the very first AirPods Pro owners will see their one-year warranties expire — Apple has launched a repair program that offers free repairs or replacements for another whole year if your AirPods Pro experience issues with noise cancellation or static.

Specifically, Apple will fix:

Crackling or static sounds that increase in loud environments, with exercise or while talking on the phone

Active Noise Cancellation not working as expected, such as a loss of bass sound, or an increase in background sounds, such as street or airplane noise

Apple says only a “small percentage of AirPods Pro” are affected by the issues, but it apparently wasn’t just an early batch — Apple says affected units were manufactured “before October 2020,” meaning every AirPods Pro ever made might be eligible. That’s quite a recall if so. Apple says it will repair faulty AirPods Pro for two years after you first buy them.

We’ve heard complaints about degraded noise cancellation before, and at least one Verge editor has replaced their AirPods Pro under warranty. It’s nice to hear that Apple isn’t just cutting buyers off as soon as that warranty expires.

Source

Continue Reading

Tech

This 55″ 4K TCL Smart TV Hangs on Your Wall for $200

Published

on

Best Tech DealsBest Tech DealsThe best tech deals from around the web, updated daily.

TCL 55″ S434 4K Smart TV | $200 | Best Buy

Best Buy has an insane deal going for a brand new 55″ 4K TCL smart TV. It’s the S434, which is pretty baseline for TCL’s lineup, but at just $200, there’s little to complain about. TCL’s panels are plenty sharp and accurate, and with this set, you’ll get HDR10 compliance for enhanced color and brightness in supported games and video content. This model has Android TV onboard for all your app needs, and with an included voice remote, all your favorite content is just a shout away with the help of Google Assistant.

Advertisement


Source

Continue Reading

Trending