Incorrect URL Eliding in Browser Address Bar
Categories
(Firefox for Android :: Toolbar, defect)
Tracking
()
People
(Reporter: severustalin, Unassigned)
Details
(Keywords: reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
|
98.20 KB,
image/png
|
Details |
firefox badssl.png
Android APK Name & Version :
org.mozilla.firefox - 134.0
org.mozilla.focus - 134.0
org.mozilla.firefox_beta -135.0b3
org.mozilla.fenix - 136.0a1
Vulnerability Description:
When a user opens a spoofed URL, the browser typically displays only the front-end part of the site, making it appear similar to the legitimate one, even though it is actually a spoof. Most browsers show the main domain rather than the full subdomain. For example, if an attacker shares a spoofed URL like legitimate-bank.spoofed.com, the real, legitimate domain would be legitimate-bank.
Steps-To-Reproduce:
1.Open the URL https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/
2.Check the address bar
Remediation plan:
Instead of displaying the full domain, browsers could show only the main domain, as the subdomain is often legitimate. Alternatively, they could highlight the main domain to make it easier for users to identify and differentiate between legitimate and spoofed sites.
Refer:
https://hackerone.com/reports/2501378
https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/url_display_guidelines/url_display_guidelines.md#simplify
|
Reporter | |
Comment 1•4 months ago
|
||
|
||
Updated•4 months ago
|
|
||
Updated•4 months ago
|
|
||
Updated•3 months ago
|
|
||
Updated•29 days ago
|
Description
•