Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Spoof URLs on Xiaomi's Built in Browser App

 

Systems Affected


Built-in MI browser (v10.5.6‐g)or the Mint browser (v1.5.3)

Threat Level


High


Overview


Attacker could easily trick Xiaomi users to think that they are visiting a trusted site but actually they are being served by a malicious or a phishing content.


Description


The vulnerability is identified as CVE‐2019‐10875 and an attacker could spoof the browser address bar and that because of a logical flaw in the browser's interface. It is reported that affected browsers are not handling query parameter ("q") in the URLs properly. And it fails to display the HTTPs portion before the "?q=" substring in the address bar.
Since the security indicators such as HTTPs is not displayed properly in the address bar the flaw can used to easily trick Xiaomi users.


Impact


  ✦  Stealing sensitive information from the tricked user.
  ✦  Distributing malware.


Solution/ Workarounds


  ✦  Avoid using built-n browsers in Xiaomi mobile phones.


References


  ✦  https://thehackernews.com/2019/04/xiaomi-browser-vulnerability.html
  ✦  https://www.fonearena.com/blog/279381/xiaomi-browser-vulnerability-url-spoofing.html


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.