Spoof URLs on Xiaomi's Built in Browser App

  • CERT Admin
  • Tue Apr 09 2019
  • Alerts

Systems Affected 

Built-in MI browser (v10.5.6‐g)or the Mint browser (v1.5.3)

Threat Level

High

Overview 

Attacker could easily trick Xiaomi users to think that they are visiting a trusted site but actually they are being served by a malicious or a phishing content.

Description 

The vulnerability is identified as CVE‐2019‐10875 and an attacker could spoof the browser address bar and that because of a logical flaw in the browser's interface. It is reported that affected browsers are not handling query parameter ("q") in the URLs properly. And it fails to display the HTTPs portion before the "?q=" substring in the address bar.

Since the security indicators such as HTTPs is not displayed properly in the address bar the flaw can used to easily trick Xiaomi users.

Impact 

  ✦  Stealing sensitive information from the tricked user.
  ✦  Distributing malware.

Solution/ Workarounds 

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.

References 

  ✦  https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html
  ✦  https://www.fonearena.com/blog/279381/xiaomi-browser-vulnerability-url-spoofing.html

Disclaimer 

The information provided herein is on "as is" basis, without warranty of any kind.
 

Last updated: Tue Apr 09 2019