Advertisements

Saturday, 6 April 2019

Researcher finds URL spoofing vulnerability on Mi browser and Mint Browser, Mi Security team acknowledges the issue

Arif Khan, an independent security researcher has recently discovered an issue on Xiaomi Browsers including Mi Browser and recently launched Mint Browser. The vulnerability (CVE-2019-10875) was found to be present in Global version of these browsers and not on the Chinese version, which as per the researcher might be intentional. How was the vulnerability discovered? The researcher says that it was an accidental discovery, and it didn't require much effort. He decided to test a certain feature in Mi Browser which was behaving abnormally than expected. As per the researcher, it was discovered when he tried to open a Google query search link through Mi Browser, and it tried to display only the 'search query' in the URL address bar. As per him, it takes almost 0 user interactions user to exploit. When you try to open a link with a query portion with that URL, Xiaomi's browsers try to display it as search engines would display it in the search bar, but the URL bar doesn't display the full URL, and this not only happens in case of popular search engine websites but also with other websites. Mi Security team (MiSRC) acknowledged the vulnerability and Researcher got the reward! As per Khan, Mi Security team has accepted ...