Unpatched URL Spoofing Vulnerability Discovered in UC Browser and UC Browser Mini
A recently uncovered security flaw poses a significant threat to users of UC Browser and UC Browser Mini, widely used mobile applications developed by Alibaba-owned UCWeb. This vulnerability, which remains unpatched, allows attackers to manipulate the address bar, potentially deceiving users into believing they are visiting legitimate websites.
The UC Browser, prevalent in China and India with a user base exceeding 500 million, has been flagged by cybersecurity researcher Arif Khan, who disclosed the details to The Hacker News. His findings indicate the vulnerability emerges from shortcomings in the user interface’s handling of a feature intended to enhance the Google search experience. Specifically, the browsers automatically obscure the domain in the address bar when users perform a search, displaying only the query itself.
Unfortunately, this design flaw enables malicious actors to exploit the address bar by crafting URLs that redirect legitimate-looking domains to phishing sites. For example, an attacker could design a URL structured as “www.google.com.phishing-site.com?q=www.facebook.com,” misleading users into thinking they are interacting with a trusted site while accessing a harmful destination.
This vulnerability affects the latest versions of UC Browser (12.11.2.1184) and UC Browser Mini (12.10.1.1192), which are utilized by over 500 million and 100 million users, respectively, according to data from the Google Play Store. While similar to a flaw found in the MI Browser, pre-installed on Xiaomi devices, the UC Browser vulnerability carries distinct characteristics that generally allow discerning users to identify the potential phishing attempts.
Careful examination of the coding practices behind this vulnerability reveals that the regular expression (regex) filtering used by UC Browser can be bypassed. Arif Khan pointed out that by crafting subdomains that mimic trusted sites, attackers can deceive the browser’s logic into misinterpreting the domain, which ultimately facilitates the phishing attack. Although the UC vulnerability does not spoof SSL indicators—critical cues for users evaluating site authenticity—its potential for exploitation remains high due to the design oversights.
The UC Browser security team was informed of the issue over a week ago; however, the company has yet to address the vulnerability, marking the report as “ignored.” This lack of response has raised concerns, especially given the browser’s recent history, where vulnerabilities associated with its features were highlighted, showcasing other serious security risks.
MITRE ATT&CK tactics relevant to this vulnerability include Initial Access, where attackers may gain entry through deceptive URLs, alongside Phishing techniques that utilize social engineering to lure users. As such threats evolve, businesses must remain vigilant and take proactive measures to safeguard against user deception and potential data breaches stemming from vulnerabilities like this.
As the cybersecurity landscape continues to shift, the responsibility lies with both developers and users to remain informed and reactive. Cybersecurity professionals must prioritize educating their teams and implementing robust security measures to mitigate risks associated with such vulnerabilities.