DuckDuckGO vulnerability in the Android v.26.0 version

DuckDuckGo Android Browser vulnerability presents spoofy website as legitimate one

An bar spoofing vulnerability, CVE-2019-12329, In the DuckDuckGo –more than 5 Million installers –has been detected by Cyber security researcher Dhiraj  Mishra. The vulnerability was detected on Android v.26.0 version and informed to the company team via their bug bounty program hosted on HackerOne. Due to the vulnerability, many users are exposed to URL spoofing attacks.

More about DuckDuckGo’s vulnerability

Proof-of-concept researchers state, the exploit work with the help of specially crafted Javascript page that utilize the sensitive function. The vulnerability could be exposed to URL allegedly displayed as a legitimate one. But the truth is that, the URL is under control of fact hacker.

Almost similar bug was reported by Arif Khan in UC browser for Android. He discovered “an URL Address Bar spoofing vulnerability in the latest version of the UC Browser and UC Browser Mini that have over 500mn and 100mn installs each respectively, as per Playstore”. To make the phishing domain trustworthy, the UC browser vulnerability also enables attackers to masquerade.

Short note on DuckDuckGo

An Internet Privacy Company, DuckDuckGo provides security to users’ personal information. It has recently launched a bug bounty program hosted on the HackerOne platform. The advertisement of this tells that the users are now provided a search engine that doesn’t track the activity “the search engine that doesn’t track you”.

According to the company, “We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.”

On 3st of October 2018, DuckDuckGO vulnerability was submitted on that HackerOne Platform and was marked as stern. The discussion of the bug went till May 27 this year, when Company security has confirmed that the vulnerability is not a serious issue.