• Home
  • Mobiles
  • Mobiles News
  • Xiaomi's Mi Browser, Mint Browser Said to Contain Critical URL Spoofing Security Vulnerability

Xiaomi's Mi Browser, Mint Browser Said to Contain Critical URL Spoofing Security Vulnerability

Share on Facebook Tweet Share Reddit Comment
Xiaomi's Mi Browser, Mint Browser Said to Contain Critical URL Spoofing Security Vulnerability

Photo Credit: The Hacker News/ ANDMP

Xiaomi’s Mi Browser international variant only contains the vulnerability

Highlights
  • Mi Browser said to have URL spoofing flaw that hackers can exploit
  • Users can be duped into accessing malicious sites, due to URL spoofing
  • Xiaomi allegedly paid researcher for reporting issue, but left it unpatch

A new vulnerability has reportedly been discovered in Xiaomi's default pre-installed Mi Browser app and Mint Browser that essentially allows a malicious website to control URLs displayed in the address bar. The vulnerability has been allegedly been listed on Common Vulnerabilities and Exposures (CVE) database, but is in a "reserved state" for. It was discovered by security researcher Arif Khan. The researcher privately is said to have reported this vulnerability to Xiaomi, but it still hasn't been patched by the company. Xiaomi awarded Khan bug bounty, but decided to leave the issue unpatched. This browser flaw is said to affect only international variants, while China variants are allegedly safe.

The CVE-2019-10875 vulnerability is said to be a spoofing issue inside the address bar that exists because of a flaw in the browsers' interface. The vulnerability is said to exist both in the in-built Mi Browser on Xiaomi devices and in the Mint browser as well. Mint Browser can also be downloaded via Google Play by non-Xiaomi phone users. The Hacker News reports that the flaw can dupe users to thinking that they are visiting a trusted website, when they are actually visiting a site that served phishing or malicious content. This URL spoofing vulnerability allows hackers to bypass basic verifying indicators like URL and SSL.

This vulnerability only affects international variants of both the browsers, and the China variants do not contain this vulnerability. "The thing that struck me most was that only their overseas or, international versions were having this security bug and not their Chinese or, domestic versions. Was it done deliberately thus? Are Chinese device manufacturers intentionally making their OS, applications, and firmware vulnerable for their international users?" Arif told The Hacker News in an emailed statement. Khan has published proof of concept video, and it can be viewed below:


Khan also confirmed to the publication that Xiaomi rewarded him with a bug bounty (marginal amount of $99 for each browser) for reporting the issue that affects millions of users, but has chosen to leave the vulnerability unpatched. We've reached out to Xiaomi for comment on the issue, and will update this space when we hear back.

Android users, especially Xiaomi users, are highly recommended to avoid using the Mi browser. Modern web browsers like Chrome and Firefox should be used on smartphones. Xiaomi phones are immensely popular in India, with the company awarded the No.1 smartphone brand in 2018 by IDC. This vulnerability, and the company's lacklustre approach to resolving it, raises many questions.

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

Further reading: XIaomi, Mi Browser, Mint Browser
Tasneem Akolawala When not expelling tech wisdom, Tasneem feeds on good stories that strike on all those emotional chords. She loves road trips, a good laugh, and interesting people. She binges on movies, sitcoms, food, books, and DIY videos. More
iPad mini (2019) Bends in Stress Test but Stays Usable With Screen Intact
Airtel DTH Packs and Plans 2019: List of Channels Packs, Price Available on Airtel Digital TV
 
 

Advertisement

 

Advertisement

© Copyright Red Pixels Ventures Limited 2019. All rights reserved.