For more than a year, mobile browsers like Google Chrome, Firefox, and Safari failed to show any phishing warnings to users, according to a research paper published this week.
“We identified a gaping hole in the protection of top mobile web browsers,” the research team said.
“Shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection.”
The issue only impacted mobile browsers that sued the Google Safe Browsing link blacklisting technology.
The research team — consisting of academics from Arizona State University and PayPal staff — notified Google of the problem, and the issue was fixed in late 2018.
“Following our disclosure, we learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended,” researchers said.
PHISHFARM RESEARCH PROJECT
The discovery of this significant security bug came during an academic research project named PhishFarm, started in early 2017.
During PhishFarm, researchers created and deployed 2,380 phishing pages mimicking the PayPal login page. Researchers didn’t measure how fast their URLs landed on URL blacklists. This type of research has been done in the past.
Instead, they focused on deploying phishing pages with “cloaking techniques” aimed at tricking URL blacklist technologies and then recording the time it took for these “cloaked” phishing pages to land on lists of “dangerous sites” — or if they landed at all.
For PhishFarm, researchers tested URL blacklists such as Google Safe Browsing, Microsoft SmartScreen, and those managed by US-CERT, the Anti-Phishing Working Group, PayPal, PhishTank, Netcraft, WebSense, McAfee, and ESET.
Further, the research team’s phishing pages also used six (actually five) cloaking techniques researchers said they’ve seen used by phishing kits in the real-world:
– Cloak A – allow all users to view the phishing page, aka a no-cloak mode used as a baseline for all detections
– Cloak B – allow only users from mobile devices
– Cloak C – allow only US users from desktop devices
– Cloak D – allow only non-US users from desktop devices
– Cloak E – block visitors from IP addresses known to be associated with security vendors
Results varied per URL blacklists and cloaking technique [check graphs at the end of the research paper], but the thing that stood out during their research was that cloaks A, E, and F had zero detections on mobile browsers that were using Google’s Safe Browsing URL blacklist.
When researchers repeated their tests in mid-2018, they got the same results, at which point they realized that Google’s Safe Browsing technology was not working as intended on mobile devices. [Cloak A was effectively a “no cloak,” meaning that Safe Browsing was not alerting users about any phishing pages, even if they used cloaking technologies or not — effectively not working at all].
The issue was eventually fixed by the end of 2018, researchers said.
Code Execution Vulnerability Identified in Change Healthcare Cardiology DevicesA vulnerability has been identified in Change Healthcare Cardiology, McKesson Cardiology, and Horizon Cardiology devices. The vulnerability could be exploited by a locally authenticated...
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most Targeted
29% of Small Businesses Spend Less Than $1,000 on IT Security Annually and Why They Are The Most TargetedThe digital and network footprint of small businesses is continually growing. Online commerce, social media, remote workers, and cloud-based IT infrastructure are...
What Other Companies Can Learn from Facebook’s $5 Billion Fine and Why Privacy MattersWhile Facebook’s $5 billion settlement stands as the largest fine in the history of the Federal Trade Commission (FTC), one must take into consideration that not every company is...
Stay Up to Date With The Latest News & Updates
Join Our Newsletter
Get weekly tech updates and immediate alerts when there is a zero-day or security issue!