The “omnibox” vulnerability makes it easier to phish or steal user’s data.
A vulnerability in how Chrome and Firefox render website addresses could allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.
Rafay Baloch, a security researcher, won $5,000 in a combined bug bounty for finding the flaw.
In a blog post on Tuesday, he explained that the flaw could be used to trick users into supplying sensitive information to a malicious site, because the website appears to be legitimate in the browser’s address box.
This address bar spoofing flaw works because some languages that display right-to-left, such as Arabic, are rendered differently. He explained that if you take a neutral right-to-left character (such as a forward slash), it can be used to flip a web address to also display right-to-left.
For example: 127.0.0.1/ا/http://example.com would instead appear in the browser bar ashttp://example.com/ا/127.0.0.1.
That means anyone clicking on the link, which could be masked in a spam email or a tweet, would appear to be going to http://example.com but the site would display content from the IP address.
Baloch said that Chrome 53 and Firefox 48 will fix the issue. However, because the flaw exists in other browsers, he will refrain from disclosing the flaws as part of a responsible disclosure policy.