[Advisory] Unpatched URL Address Bar Spoofing Vulnerability in UC Browser 12.11.2.1184 and UC Browser Mini 12.10.1.1192: With the same old one-liner payload...

Brief

I discovered an URL Address Bar spoofing vulnerability in the latest version of the UC Browser 12.11.2.1184  and UC Browser Mini 12.10.1.1192 that have over 500mn and 100mn installs each respectively, as per Playstore.

This vulnerability allows any attacker to pose (his phishing domain) as the targeted site, for example, a domain blogspot.com can pretend to be facebook.com, by simply making an user visit www.google.com.blogspot.com/?q=www.facebook.com

Description

Previously, I wrote about this issue affecting Xiaomi Mi and Mint browsers, but now UC Browsers (only latest versions) share the same behavior much to my surprise. I find it worth mentioning that some old and other versions of UC Browsers are still not vulnerable to this, which puts me into confusion, which points at the fact that a new feature might have been added to this browser sometime back which is causing this issue. 

I have seen a lot of mobile (android) browsers show this behavior, Xiaomi browsers for instance. The main reason behind it is, I guess, these browsers are trying to enhance the User Experience by just displaying the search term for certain URL patterns (search engines and websites like that of Yahoo!, Google).

However, while they are trying to display only the content or, data passed by the query parameter, an attacker can leverage this behavior to achieve URL Address Bar spoofing which can lead to efficient phishing attacks at ease. 

The fact that their regex rules just match the URL string, or, the URL any user is trying to visit to a whitelist pattern but only check if the URL begins with a string like www.google.com can enable an attacker to bypass this regex check by simply using a subdomain on his domain like www.google.com.blogspot.com and attach the target domain name (which he wants to pose as) to the query portion of this subdomain like ?q=www.facebook.com

The payload being just a one-liner, this can lead to flawless phishing attacks, which is nearly undetectable and is very easy to execute.

Products affected (Versions)

UC Browser 12.11.2.1184  and UC Browser Mini 12.10.1.1192

CVE

Not assigned yet. A request has been sent to Mitre for the same.

Proof of Concept(s)

Payload: www.google.com.attacker.domain/?q=www.facebook.com

UC Browser:

UC Mini:

Reporting Timeline

Issue has been disclosed to their security team sometime back (more than a week ago) but they have now simply simply put an Ignore status on the report.

I have not been given any ETA for a fix from their end.

Taking all this into consideration, I decided to write up on this issue. Interested people can take a look at My Vulnerability Disclosure Policy to learn more about my Vulnerability Disclosure process.

Rewards 

$ 0.

Fixed

No, no patches have been released so far to addressed this issue.

Solution

Use stronger regex checks if you want to show search strings in this format in URL bar, or, just remove this feature/behavior entirely so that it doesn't show up in another form later (Mint browser patches were bypassed several times by a fellow researcher because they decided to still keep that feature but with some minor enhancements).