Security Advisories

CVE-2021-33594: F-Secure SAFE Browser for Android Vulnerable to Address Bar Spoofing

Description

F-Secure SAFE Browser is vulnerable to address bar spoofing.

STATUS: Fixed

RISK LEVEL: Medium

FIX: Upgrade to version 18.4.x or newer from Google Play

Affected Products

Consumer Products:

  • F-Secure SAFE Browser version 18.3.x and below

Platforms

  • Android

More Information

An address bar spoofing vulnerability was discovered in SAFE Browser for Android. When user clicks on a specially crafted a malicious URL, it appears like a legitimate one on the address bar, while the content comes from other domain and presented in a window, covering the original content. A remote attacker can leverage this to perform address bar spoofing attack.

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

Mitigating factors

Exploiting the vulnerability requires the user to click on a specially crafted malicious URL.

Credits

F-Secure Corporation would like to thank Narendra Bhati (@imnarendrabhati) for bringing this issue to our attention.

Advisory changes

Date Changes
2021-08-11 First advisory published. 
2021-08-12 Risk level changed from 'Low' to 'Medium'.

Date Issued: 2021-08-11
Date Updated: 2021-08-12