image

#Alert: Unpatched Flaw in Xiaomi's Built-in Browser App Lets Hackers Spoof URLs

EXCLUSIVE — Beware, if you are using a Xiaomi's Mi or Redmi smartphone, you should immediately stop using its built-in MI browser or the Mint browser available on Google Play Store for non-Xiaomi Android devices.

That's because both web browser apps created by Xiaomi are vulnerable to a critical vulnerability which has not yet been patched even after being privately reported to the company, a researcher told The Hacker News.

The vulnerability, identified as CVE-2019-10875 and discovered by security researcher Arif Khan, is a browser address bar spoofing issue that originates because of a logical flaw in the browser's interface, allowing a malicious website to control URLs displayed in the address bar.

According to the advisory, affected browsers are not properly handling the "q" query parameter in the URLs, thus fail to display the portion of an https URL before the ?q= substring in the address bar.

Since the address bar of a web browser is the most reliable and essential security indicator, the flaw can be used to easily trick Xiaomi users into thinking they are visiting a trusted website when actually being served with a phishing or malicious content, as shown in the video demonstration below.

The phishing attacks today are more sophisticated and increasingly more difficult to spot, and this URL spoofing vulnerability takes it to another level, allowing one to bypass basic indicators like URL and SSL, which are the first things a user checks to determine if a site is fake.