Security Advisories

CVE-2021-40834: User interface Spoofing in F-Secure SAFE browser for Android

Description

Full Screen Overlay User Interface Spoofing attack.

STATUS: Fixed

RISK LEVEL:  Medium

FIX: Upgrade to version 18.5.x which is available in Google play.

Affected Products

F-Secure SAFE Browser Version 17.9 and below

Platforms

  • Android

More Information

A user interface overlay vulnerability was discovered in Safe Browser for Android. When user click on a specially crafted seemingly legitimate URL safe browser goes into full screen and hides the user interface.  A remote attacker can leverage this to perform spoofing attack.

This issue was reported to F-Secure through the Vulnerability Reward Program. No known exploit or attack has been seen in the wild.

Mitigating factors

Exploiting the vulnerability requires the user to click on a specially crafted malicious URL.

Credits

F-Secure Corporation would like to thank Narendra Bhati (@imnarendrabhati) for bringing this issue to our attention.

Date Issued: 2021-12-10