Rafay Baloch is a Pakistani ethical hacker who is known and respected worldwide — This time, he reported an Address Bar Spoofing Vulnerability in Chrome and FireFox and earned $5000 in return!
Rafay Baloch, a Pakistani security researcher and ethical hacker discovered a critical security flaw in Chrome and FireFox browsers that would let an attacker to trick users into visiting a fake or malicious website and steal their login or financial information.
Baloch who received $5000 as bug bounty reward for identifying and reporting the Address Bar Spoofing Vulnerability to authorities writes in his blog post that this flaw existed because there are certain languages that are displayed right-to-left on all browsers such as Urdu, Arabic, Hebrew and Persian, due to mishandling of several Unicode characters and different rendering; placing character like forward slash (“/”) the websites could be flipped and displayed from Right To Left.
Must Read: 10 Famous Bug Bounty Hunters of All Time
He also gave an example for better understanding:
The URL 127.0.0.1/ا/http://example.com would display itself as http://example.com/ا/127.0.0.1 on the browser.
The URL will turn into http://google.com/test/220.127.116.11 allowing attackers to redirect users to fake any site they want.
Baloch has refrained from providing more technical details as Google and FireFox are fixing the flaw however he mentioned that ”variation of similar vulnerability has also been discovered in several other browsers.”
Rafay Baloch is the same hacker who previously discovered a remote code execution vulnerability in Paypal. This led to Paypal offering him a job plus a huge monetary reward of $10,000. He also discovered the Android Stock Browser Address Bar Spoofing which was fatal for the current as well as the earlier versions of android.
If you wish to go through more technical details visit Rafay’s blog here.