A vulnerability in how Chrome and Firefox render website addresses could allow an attacker to trick a user into visiting a spoof website that appears to be legitimate.
Rafay Baloch, a security researcher, won $5,000 in a combined bug bounty for finding the flaw.
In a blog post on Tuesday, he explained that the flaw could be used to trick users into supplying sensitive information to a malicious site, because the website appears to be legitimate in the browser’s address box.
This address bar spoofing flaw works because some languages that display right-to-left, such as Arabic, are rendered differently. He explained that if you take a neutral right-to-left character (such as a forward slash), it can be used to flip a web address to also display right-to-left.
For example: 127.0.0.1/ا/http://example.com would instead appear in the browser bar as http://example.com/ا/127.0.0.1.
That means anyone clicking on the link, which could be masked in a spam email or a tweet, would appear to be going to http://example.com but the site would display content from the IP address.
We tested and confirmed that this flaw still exists in the latest build of Chrome for Mac (version 52).
Baloch said that the flaw exists in other browsers, but he will refrain from disclosing the flaws as part of a responsible disclosure policy.
We reached out to both Google and Mozilla but didn’t hear back at the time of writing.