© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Hello ,
The default browser of the Ubuntu LTS with the default browser is vulnerable to Address Bar Spoofing.
Steps :
Ubuntu browser allows attacker to spoof the web-browser by just using '@' symbol.
Example : https://<email address hidden> , this will redirect a user or a victim to bing.com rather than google.com.
An attacker can take an advantage of it and may redirect it to any malicious website.
Example : https://<email address hidden> , similarly this will also redirect to attacker.com rather than facebook.com.
There are various scenario to exploit , one of it using BeeF using [hook.js] which is browser based exploitation and as such many more.
Example: https://<email address hidden>/hook.js
Well where as hook.js is a component of BeeF, which allows attacker to leads to browser based exploitation
As far i recommend and request there should be a pop-up for this as a mitigation that some one is trying to tamper the URL.
Kindly have a look on the attached Video POC , to clear the above scenario.
I would be happy to hear from the team.
Thank you