The DuckDuckGo Privacy Browser application version 5.26.0 for Android allows address bar spoofing via a setInterval call, as demonstrated by reloading every 50 ms.
This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says “team doesn’t view it as a serious issue” and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.
Potential attackers can perform URL spoofing attacks by changing the URL displayed in the address bar of the vulnerable web browser to trick their victims into thinking that the website they’re currently browsing is controlled by a trusted party.
UK based technology professional, with an interest in computer security and telecoms.