DuckDuckGo Android Browser Vulnerable To URL Spoofing Attacks

The DuckDuckGo Privacy Browser application version 5.26.0 for Android allows address bar spoofing via a setInterval call, as demonstrated by reloading every 50 ms.

Security researcher Dhiraj Mishra found the issue and reported it as CVE CVE-2019-12329 and also reported it to the apps’ security team.

This issue was submitted to DuckDuckGo team via HackerOne on Oct 31st, 2018, DuckDuckGo rewarded with a swag on Nov 13th, 2018 but the issue was closed without a fix which says “team doesn’t view it as a serious issue” and report was marked as informative. Further CVE-2019-12329 was assigned to this issue.

Potential attackers can perform URL spoofing attacks by changing the URL displayed in the address bar of the vulnerable web browser to trick their victims into thinking that the website they’re currently browsing is controlled by a trusted party.

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: