DuckDuckGo Android Browser Vulnerable To URL Spoofing Attacks

The DuckDuckGo Privacy Browser application version 5.26.0 for Android allows address bar spoofing via a setInterval call, as demonstrated by reloading every 50 ms.

Security researcher Dhiraj Mishra¬†found the issue and reported it as CVE CVE-2019-12329 and also reported it to the apps’ security team.

This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says “team doesn’t view it as a serious issue” and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.

Potential attackers can perform URL spoofing attacks by changing the URL displayed in the address bar of the vulnerable¬†web browser to trick their victims into thinking that the website they’re currently browsing is controlled by a trusted party.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: