The exploit explained by security researcher Rafay Baloch that using characters like '|' or unicode characters like U+FE70, U+0622, U+0623 could lead to reversing of the site url and leads to various types of web attacks. I tried on Firefox 49 on which it does not work. Is the browser already patched?
Asked
Active
Viewed 362 times
0
Steffen Ullrich
- 184,332
- 29
- 363
- 424
ashish
- 127
- 1
- 6
1 Answers
2
This was fixed in the Firefox 48 release, there is a security advisory on the Mozilla foundation's website. It seems that it only affects the Android version of the browser, so not only are you using a release that has been properly patched, but if you're using a desktop browser you would not have witnessed the vulnerability otherwise.
Security researcher Rafay Baloch reported a mechanism to spoof the addressbar in Firefox for Android using right-to-left character sets when combined with left-to-right characters. This can be used to cause only certain portions of the loaded left-to-right character portion of the URL to be displayed, misleading users as to what site is loaded, possibly leading to phishing attacks.
This vulnerability does not affect the desktop version of Firefox.
INV3NT3D
- 3,977
- 3
- 14
- 25