Photo Credit: The Hacker News
Mi Browser said to have URL spoofing flaw that hackers can exploit
Users can be duped into accessing malicious sites, due to URL spoofing
Xiaomi allegedly paid researcher for reporting issue, but left it unpatch
A new vulnerability has reportedly been discovered in Xiaomi’s default pre-installed Mi Browser app and Mint Browser that essentially allows a malicious website to control URLs displayed in the address bar. The vulnerability has been allegedly been listed on Common Vulnerabilities and Exposures (CVE) database, but is in a “reserved state” for. It was discovered by security researcher Arif Khan. The researcher privately reported this vulnerability to Xiaomi, but it still hasn’t been patched by the company. Xiaomi awarded Khan bug bounty, but decided to leave the issue unpatched. This browser flaw affects only international variants, while China variants are safe.
The CVE-2019-10875 vulnerability is said to be a spoofing issue inside the address bar that exists because of a flaw in the browsers’ interface. The vulnerability exists both in the in-built Mi Browser on Xiaomi devices and in the Mint browser as well. Mint Browser can also be downloaded via Google Play by non-Xiaomi phone users. The Hacker News reports that the flaw can dupe users to thinking that they are visiting a trusted website, when they are actually visiting a site that served phishing or malicious content. This URL spoofing vulnerability allows hackers to bypass basic verifying indicators like URL and SSL.
This vulnerability only affects international variants of both the browsers, and the China variants do not contain this vulnerability. “The thing that struck me most was that only their overseas or, international versions were having this security bug and not their Chinese or, domestic versions. Was it done deliberately thus? Are Chinese device manufacturers intentionally making their OS, applications, and firmware vulnerable for their international users?” Arif told The Hacker News in an emailed statement. Khan has published proof of concept video, and it can be viewed below
Khan also confirmed to the publication that Xiaomi rewarded him with a bug bounty (marginal amount of $99 for each browser) for reporting the issue that affects millions of users, but has chosen to leave the vulnerability unpatched. We’ve reached out to Xiaomi for comment on the issue, and will update this space when we hear back.
Android users, especially Xiaomi users, are highly recommended to avoid using the Mi browser. Modern web browsers like Chrome and Firefox should be used on smartphones. Xiaomi phones are immensely popular in India, with the company awarded the No.1 smartphone brand in 2018 by IDC. This vulnerability, and the company’s lacklustre approach to resolving it, raises many questions.