Researcher finds vulnerability in Mi Browser and Mint Browser.
The Mi Security team has accepted the flaw.
Make your home smarter than the average home
Make your life smarter, simpler, and more convenient with IoT enabled TVs, speakers, fans, bulbs, locks and more.
Click here to know more
Noting the lack of basic security features like XSS auditors, a researcher has found a URL spoofing vulnerability on Xiaomi-made Mi Browser and the Mint Browser. The vulnerability, identified as CVE-2019-10875, originates due to a flaw in both the browsers and it reportedly enables a malicious website to control URLs in the address bar. The Mi Browser comes pre-installed in every Xiaomi device with MIUI and Mint Browser was launched globally via the Google Play Store.
The researcher who discovered the flaw, Arif Khan, says that the Mi Security team (MiSRC) confirmed that the issue was present in their global versions and not in their domestic ones. Thus, “they inadvertently conveyed the fact that only International versions of their browsers were insecure to this vulnerability,” Khan said. He adds that the bug was accidentally spotted and it didn’t require much effort. He found the vulnerability while he decided to test “a certain feature in their browser.”
The researcher apparently noticed the flaw when triying to open a Google query search link through the Mi Browser. “For a link such as https://www.google.com/?q=www.domain.com, the URL bar would display www.domain.com, and this is exactly where the problem arises, because the URL bar doesn't display the full URL, and this not only happens in case of popular search engine websites but also with other websites,” Khan said.
Those who are using the Mi Browser or the Mint Browser as their default web browser, their device is vulnerable to phishing attacks. Khan adds that it is recommended not to use any of the browsers until the flaw is patched and instead use Google Chrome “because it has a good XSS filter.” As per the researcher, Mi Security team has acknowledged the security issue found by him and he has been awarded $198 ($99 for each browser) bounty rewards. However, it is not yet known whether the vulnerability is patched or not.
Digit caters to the largest community of tech buyers, users and enthusiasts in India. The all new Digit in continues the legacy of Thinkdigit.com as one of the largest portals in India committed to technology users and buyers. Digit is also one of the most trusted names when it comes to technology reviews and buying advice and is home to the Digit Test Lab, India's most proficient center for testing and reviewing technology products.
We are about leadership-the 9.9 kind! Building a leading media company out of India.And,grooming new leaders for this promising industry.