QQ browser for ios will be in the page title of the body displayed on the address bar, that URL spoofing greatly reduce the cost, may indirectly cause the user to suffer from phishing attacks.
First construct a and mail. qq. com approximate domain name, POC at the following address:
http://mail. qq. com. cgi-bin. frame-html. siduz1gjqsctztfk8br0c141773e. x55. me
Subsequently, the page title is set to:
Page specific content, all is from original mail. qq. com there copy over.
Vulnerability to prove:
When the victims through QQ browser for ios open angler of the page and try to login when the screen effects:
! 1. png
Wechat and QQ there are also similar problems, I will not screenshot. Not only on ios, on Android. Since they have no address bar nor can we refer to it as a URL spoofing. Can consider, whether the need for rectification.
! 2. png
As a browser, I think in the address bar displays the title of the body instead of the original address is unreasonable. If combined with a Homoglyph Attack may make this type of attack in QQ browser more subtle.