DuckDuckGo Android Browser vulnerability presents spoofy website as legitimate one
An bar spoofing vulnerability, CVE-2019-12329, In the DuckDuckGo –more than 5 Million installers –has been detected by Cyber security researcher Dhiraj Mishra. The vulnerability was detected on Android v.26.0 version and informed to the company team via their bug bounty program hosted on HackerOne. Due to the vulnerability, many users are exposed to URL spoofing attacks.
More about DuckDuckGo’s vulnerability
Almost similar bug was reported by Arif Khan in UC browser for Android. He discovered “an URL Address Bar spoofing vulnerability in the latest version of the UC Browser 18.104.22.1684 and UC Browser Mini 22.214.171.1242 that have over 500mn and 100mn installs each respectively, as per Playstore”. To make the phishing domain trustworthy, the UC browser vulnerability also enables attackers to masquerade.
Short note on DuckDuckGo
An Internet Privacy Company, DuckDuckGo provides security to users’ personal information. It has recently launched a bug bounty program hosted on the HackerOne platform. The advertisement of this tells that the users are now provided a search engine that doesn’t track the activity “the search engine that doesn’t track you”.
According to the company, “We are not offering monetary bounties at this time, however, we would love to send you some swag for valid submissions.”
On 3st of October 2018, DuckDuckGO vulnerability was submitted on that HackerOne Platform and was marked as stern. The discussion of the bug went till May 27 this year, when Company security has confirmed that the vulnerability is not a serious issue.