Xiaomi's Mi browser, Mint Browser reportedly affected with serious URL spoofing vulnerability

By Digit NewsDesk | Updated 8 Apr 2019
Xiaomi's Mi browser, Mint Browser reportedly affected with serious URL spoofing vulnerability
  • ​Researcher finds vulnerability in Mi Browser and Mint Browser.
  • The Mi Security team has accepted the flaw.

Noting the lack of basic security features like XSS auditors, a researcher has found a URL spoofing vulnerability on Xiaomi-made Mi Browser and the Mint Browser. The vulnerability, identified as CVE-2019-10875, originates due to a flaw in both the browsers and it reportedly enables a malicious website to control URLs in the address bar. The Mi Browser comes pre-installed in every Xiaomi device with MIUI and Mint Browser was launched globally via the Google Play Store.

advertisements

The researcher who discovered the flaw, Arif Khan, says that the Mi Security team (MiSRC) confirmed that the issue was present in their global versions and not in their domestic ones. Thus, “they inadvertently conveyed the fact that only International versions of their browsers were insecure to this vulnerability,” Khan said. He adds that the bug was accidentally spotted and it didn’t require much effort. He found the vulnerability while he decided to test “a certain feature in their browser.”

The researcher apparently noticed the flaw when triying to open a Google query search link through the Mi Browser. “For a link such as https://www.google.com/?q=www.domain.com, the URL bar would display www.domain.com, and this is exactly where the problem arises, because the URL bar doesn't display the full URL, and this not only happens in case of popular search engine websites but also with other websites,” Khan said.

Those who are using the Mi Browser or the Mint Browser as their default web browser, their device is vulnerable to phishing attacks. Khan adds that it is recommended not to use any of the browsers until the flaw is patched and instead use Google Chrome “because it has a good XSS filter.” As per the researcher, Mi Security team has acknowledged the security issue found by him and he has been awarded $198 ($99 for each browser) bounty rewards. However, it is not yet known whether the vulnerability is patched or not.

advertisements

Related Read:

Global smartphone shipments expected to drop for third consecutive year in 2019: IDC

advertisements
Digit NewsDesk
The guy who answered the question 'What are you doing?' with 'Nothing'.
advertisements
ASK DIGIT

Recent Questions

best mobile browser
CHRISTIANA JOHN
Sept 19, 2014
Responses 1
t ruth pushpalatha
Sept 26, 2014
Comments
Be the first one to post the comment
Post a New Comment
You must be signed in to post a comment
advertisements