Independent researcher Dhiraj Mishra discovered a vulnerability in Android version of DuckDuckGo browser (version 5.26.0) that was downloaded and installed more than 5 000 000 times.Bug received identified CVE-2019-12329 and allows substituting URL in the address line of the protected browser, cheating the user.
The problem is that content of the address line can be faked.
While real website duckduckgo.com automatically loads every 50 milliseconds, researcher managed to have reflection of the entirely different content in browser.
Internet-security specialists have good reasons to call such attacks to be the worst type of fishing, as if user cannot trust its own browsers’ address line, the things are bad.
Issue is still not fixed, though researcher reported about it via HackerOne platform in October 2018. After a long discussion, DuckDuckGo developers preferred to mark report on vulnerability as “informative”, paid a revenue to a researcher, but said that do not view bug as a serious vulnerability.