Puffin Web Browser Address Bar Spoofing Vulnerability
During my recent research on Mobile browsers i have managed to find couple of interesting vulnerabilities such as SOP bypass, Denial of service and Address bar spoofing vulnerability which are worth doing a writeup. However, In the following writeup I would discuss about an "Address Bar Spoofing Vulnerability" present inside of a well known mobile browser for both Android and iOS known as "Puffin Web Browser".
Description
Let's take a look at an official description of Puffin Web Browser.Puffin Web Browser is a wicked fast Mobile Flash Browser. Once users experience the thrill of using Puffin, regular Mobile Internet just feels like torture. Puffin Free is the free version of Puffin family, and supports Adobe Flash during the daytime everyday. Puffin Web Browser comes into two different flavours, a free version and a paid version.
Popularity
According to recent stats by Google play, the approximate installs for "Puffin Web Browser Free" are some where between the range of 5 Million to 10 Million installs.
Whereas, according to another popular Android market "Mobogenie", the approximate installs for "Puffin Web Browser Free" are more than 5 Million.
This makes the total userbase of Puffin Web Browser more than 10 million.
Vulnerability
An "Address Bar Spoofing" vulnerability was addressed in "Puffin Web Browser" due to mishandling of javaScript's window.open function which is used to open a secondary browser window. This could be exploited by tricking the users into supplying senstive information such as username/passwords etc due to the fact that the address bar would display a legitimate URL, however it would be hosted on the attacker's page.
Proof Of Concept
The following piece of javaScript code was used as a proof of concept by modifying "David Vieria's" POC to suit our needs and to demonstrate the vulnerability to the vendor.
<script>
document.getElementById('one').onclick = function() {
myWindow=window.open('http://rafayhackingarticles.net/','RHA','width=300,height=300,location=yes');
myWindow.document.write("<html><head></head><body><b>This page is still being hosted on rhainfosec.com, however the domain is pointing to rafayhackingarticles.net.</b><br><br><iframe src=\"http://www.rafayhackingarticles.net/\");></iframe></scri+pt></body></html>");
myWindow.focus();
return false;
}
</script>
Steps To Reproduce
2) Click on the "demo" button.
3) A new window would pop up with the address bar pointing to rafayhackingarticles.net, however the page is still hosted on rhainfosec.com.
In case of a real attack scenario, an attacker could create a fake login of facebook.com for instance and since the address bar would still be pointing to facebook.com, the victim would not
Demonstration
Impact
The impact in my opinion is huge since this vulnerability could be abused in launching targetted and more effective phishing attacks, which places 10 million users at risk.Fix
The vulnerability was submitted on 10'th of june, I received an initial response that they would let us know about the schedule, however after multiple emails, we didn't receive any response. Therefore, I decided to go for full disclosure and urge the users to beware.
As mentioned before, I have found several other vulnerabilities in mobile browsers, as soon as they get fixed I would blog about it. Kudos to David Vieria for his guidance.
Timeline
6/10/2014 - I reported the vulnerability.6/13/2014 - Initial response.
6/26/2014 - I asked again if they are willing to fix it.
7/14/2014 - Blogged about this issue.