Brave Software: [iOS/Android] Address Bar Spoofing Vulnerability

Hello,

I am Aaditya Purani, I would like to Report Address Bar spoofing vulnerability in Brave Browser on the IOS as well as Android Platform. All the Test have been carried out against Latest Brave Browser whose versions i have mentioned in Products affected section.

Summary:

Brave Browser Suffers from Address Bar Spoofing Vulnerability. Address Bar spoofing is a critical vulnerability in which any attacker can spoof the address bar to a legit looking website but the content of the web-page remains different from the Address-Bar display of the site. In Simple words, the victim sees a familiar looking URL but the content is not from the same URL but the attacker controlled content. Some companies say “We recognize that the address bar is the only reliable security indicator in modern browsers” .

Products affected:

• In IOS - Affected is the Latest Version 1.2.16 (16.09.30.10)
• In Android - Affected in Brave Latest version 1.9.56

Steps To Reproduce

I created a HTML Code which would spoof address bar of Brave Browser ( bravespoof.html) in the Attachments. As we can understand, the code contains a form which i have created just to demonstrate a look-a-like impact where it asks for username and password of any user. But the real trick is done, by the function f() whose location is equal to https://facebook.com . Additionally, to complete the exploit i used setInterval function to execute the function f continuously after every 10 milliseconds. Hence, ideally after 10 ms the Location would divert the URL as well as the page to display https://facebook.com content or it some cases, it keeps hold the of URL without changing the URL nor the page (which is again a safe case) . But in Brave Browser both fails, In brave when you host the below given HTML code to a web server and visit from either Android or IOS Brave Browser, The URL would get spoofed to https://facebook.com (Even it shows Green lock so victim would believe) but the content remains the one which attackers have placed.

Look at the Screenshot addressbarbrave.jpg POC where i showed how in Android Brave Browser the URL changed to https://facebook.com but the Content remains attacker controlled (i.e fakebook login page) . Moreover, the image of the bubble shows facebook logo (any victim would believe it )

Another screenshot i attached is braveiospoofing.jpg which is the POC of affected IOS Brave browser as we can see it shows https://facebook.com with green lock but the body of page is attacker controlled

I carried out same test in Chrome Browser too, But chrome is smart; It doesn’t changes the url to https://facebook.com but the URL remain same of the URL of Hosted HTML ( I showed the same in chromeaddress.jpg screenshot). The same happens in Mozilla , it is also not affected. But the best one is UC Mini (on android) where it redirects to complete https://facebook.com to mitigate this fully. Even Safari Mobile (IOS) is also not affected. I tested the same on many browsers and Brave turned out to be affected.

I sincerely hope this gets Patched ASAP . Cheers !