During more than a year mobile versions of Google Chrome, Firefox and Safari browsers did not warn its users about fishing resources.About this reported in the research, published by group of specialists from Arizona University and PayPal Company.
“We discovered a great hole in security of most popular mobile browsers. To our surprise, between 2017 and till the end of 2018 Google Chrome, Firefox and Safari did not show any notifications about websites from the black list, even with the enabled security settings that ensure protection from such resources” – reported researchers.
Issue involved not only browsers that are supported by Google Safe Browsing technology. It raised after transition on new mobile API where was optimized data consumption. As it turned out, API did not work as expected.
“At the same time, black list function was activated, so users expected that Internet-browser will notify them about fraudulent websites” – argued specialists.
Incorrect Google Safe Browsing work was discovered in the frameworks of PhishFarm research project that started in 2017.
During the research, specialists created 2380 fake authorization pages in PayPal service. Researchers realized in them mechanisms for bypassing browsers’ black lists and checked what time it took to transit them to black list (if they were transited at all).
Authors of the research notified Google about the issue and at the end of last year, it was fixed.
Aside from Google Safe Browsing, specialists tested such technologies as Microsoft SmartScreen and mechanisms of adding websites to the blacklist as US-CERT, Anti-Phishing Working Group, PayPal, PhishTank, Netcraft, WebSense, McAfee and ESET.