Trend Micro has made the decision to remove the Privacy Browser from its Dr Safety Android security suite after a reoccurring flaw was discovered in its software.
As reported by The Register, the vulnerability, which could be abused to trick users into believing that malicious web pages were legitimate, was first discovered by security consultant Dhiraj Mishra who responsibly reported it to the company back in April.
If exploited by an attacker, the bug could be used to alter the address bar on pages viewed in Trend Micro’s Privacy Browser. For example, a phishing page designed to steal users’ banking credentials could rewrite the URL bar to show the bank’s real domain name as opposed to the URL used by the attackers.
Privacy Browser
Mishra explained that the flaw would be fairly easy to exploit and that an attacker would have plenty of targets to choose from given its install base of 10m people in an interview with The Register, saying:
“To exploit such flaws remotely, an attacker would host a malicious JavaScript packet and if a user visits a page hosting that malicious code, a new window or tab can be opened with a fake URL. There is no way of determining if the URL is authentic or not due to which this could result in capturing sensitive information such as username passwords. Additionally, along with address bar spoofing, attackers could also spoof SSL which makes the attack more difficult to determine the authenticity of the URL.”
The vulnerability, tracked as CVE-2018-18334, has been confirmed by Trend Micro, though the company has decided to disable the browser outright instead of developing a patch for the flaw. Just by looking at the CVE assignment, you can see that the bug was first discovered in 2018 and the company has tried to deal with it in the past.
Back in January of last year, Trend Micro tried to patch the vulnerability but this year, Mishra was able to identify multiple address spoofing bugs of the same type that had not been fixed in the software. This explains why Trend Micro has now chosen to disable the Privacy Browser all together in its Dr Safety Android app.
- Also check out our complete list of the best VPN services
Via The Register
