A Pakistani security researcher discovered a vulnerability affecting Chrome and Firefox browser configurations of URLs in address bars.
Rafay Baloch noticed that Chrome's Omnibox API re-orders the way URLs in some languages are displayed in the address bar.
Characters in Arabic and Hebrew, for example, are displayed right-to-left, rather than left-to-right in the address bar. Baloch created a proof-of-concept test that demonstrates a malicious attacker could exploit the way Firefox and Google Chrome's Omnibox API displays URLs.
In a blog post published Tuesday US time, Baloch wrote that “several other browsers” are affected by similar vulnerabilities. The other browsers are currently addressing the flaws and he will refrain from disclosure of the other browsers' vulnerabilities.
“Details will be disclosed, once a fix has been landed.” Chrome and Firefox awarded Baloch a US$5,000 bug bounty for his discovery of the spoofing flaw.
In his proof-of-concept example, the URL “http://عربي.امارات/google.com/test/test/test” would appear in the address bar as “google.com/test/test/test/عربي.امارات”. An attacker could then direct users to a different website than the intended legitimate URL.