In Android version of DuckDuckGo browser found vulnerability that helps faking URL

Independent researcher Dhiraj Mishra discovered a vulnerability in Android version of DuckDuckGo browser (version 5.26.0) that was downloaded and installed more than 5 000 000 times.

Bug received identified CVE-2019-12329 and allows substituting URL in the address line of the protected browser, cheating the user.

The problem is that content of the address line can be faked.

“It was observed that the DuckDuckGo privacy browser ominibar can be spoofed by a crafted javascript page spoofing setInterval` function and reloading the URL in every 10 to 50 ms.”, — reported Dhiraj Mishra.

While real website automatically loads every 50 milliseconds, researcher managed to have reflection of the entirely different content in browser.

PoC-exploit can be seen below.
duckduckgo poc-exploit

Internet-security specialists have good reasons to call such attacks to be the worst type of fishing, as if user cannot trust its own browsers’ address line, the things are bad.

Issue is still not fixed, though researcher reported about it via HackerOne platform in October 2018. After a long discussion, DuckDuckGo developers preferred to mark report on vulnerability as “informative”, paid a revenue to a researcher, but said that do not view bug as a serious vulnerability.


Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button