Noting the lack of basic security features like XSS auditors, a researcher has found a URL spoofing vulnerability on Xiaomi-made Mi Browser and the Mint Browser. The vulnerability, identified as CVE-2019-10875, originates due to a flaw in both the browsers and it reportedly enables a malicious website to control URLs in the address bar. The Mi Browser comes pre-installed in every Xiaomi device with MIUI and Mint Browser was launched globally via the Google Play Store.
The researcher who discovered the flaw, Arif Khan, says that the Mi Security team (MiSRC) confirmed that the issue was present in their global versions and not in their domestic ones. Thus, “they inadvertently conveyed the fact that only International versions of their browsers were insecure to this vulnerability,” Khan said. He adds that the bug was accidentally spotted and it didn’t require much effort. He found the vulnerability while he decided to test “a certain feature in their browser.”
The researcher apparently noticed the flaw when triying to open a Google query search link through the Mi Browser. “For a link such as https://www.google.com/?q=www.domain.com, the URL bar would display www.domain.com, and this is exactly where the problem arises, because the URL bar doesn't display the full URL, and this not only happens in case of popular search engine websites but also with other websites,” Khan said.
Those who are using the Mi Browser or the Mint Browser as their default web browser, their device is vulnerable to phishing attacks. Khan adds that it is recommended not to use any of the browsers until the flaw is patched and instead use Google Chrome “because it has a good XSS filter.” As per the researcher, Mi Security team has acknowledged the security issue found by him and he has been awarded $198 ($99 for each browser) bounty rewards. However, it is not yet known whether the vulnerability is patched or not.