Chrome, Firefox fix flaw that allows spoofed URLs

By on
Chrome, Firefox fix flaw that allows spoofed URLs

A Pakistani security researcher discovered a vulnerability affecting Chrome and Firefox browser configurations of URLs in address bars.

Rafay Baloch noticed that Chrome's Omnibox API re-orders the way URLs in some languages are displayed in the address bar.

Characters in Arabic and Hebrew, for example, are displayed right-to-left, rather than left-to-right in the address bar. Baloch created a proof-of-concept test that demonstrates a malicious attacker could exploit the way Firefox and Google Chrome's Omnibox API displays URLs.

In a blog post published Tuesday US time, Baloch wrote that “several other browsers” are affected by similar vulnerabilities. The other browsers are currently addressing the flaws and he will refrain from disclosure of the other browsers' vulnerabilities.

“Details will be disclosed, once a fix has been landed.” Chrome and Firefox awarded Baloch a US$5,000 bug bounty for his discovery of the spoofing flaw.

In his proof-of-concept example, the URL “http://عربي.امارات/” would appear in the address bar as “عربي.امارات”. An attacker could then direct users to a different website than the intended legitimate URL.

This article originally appeared at

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register


What does your business want for Christmas?
Skilled people who'll take Elves' wages
A stocking full of good leads
Please, Santa, drop some cash down the chimney!
All status indicators green like misteltoe, none red like Rudolph's nose
A peaceful, relaxing time for the team and our clients, and all their families
View poll archive

Log In

Username / Email:
  |  Forgot your password?