Home
Mobiles
Mobiles News
Xiaomi's Mi Browser, Mint Browser Said to Contain Critical URL Spoofing Security Vulnerability

Xiaomi's Mi Browser, Mint Browser Said to Contain Critical URL Spoofing Security Vulnerability

By Tasneem Akolawala | Updated: 5 April 2019 19:20 IST

Photo Credit: The Hacker News/ ANDMP

Xiaomi’s Mi Browser international variant only contains the vulnerability

Highlights

Mi Browser said to have URL spoofing flaw that hackers can exploit
Users can be duped into accessing malicious sites, due to URL spoofing
Xiaomi allegedly paid researcher for reporting issue, but left it unpatch

A new vulnerability has reportedly been discovered in Xiaomi's default pre-installed Mi Browser app and Mint Browser that essentially allows a malicious website to control URLs displayed in the address bar. The vulnerability has been allegedly been listed on Common Vulnerabilities and Exposures (CVE) database, but is in a "reserved state" for. It was discovered by security researcher Arif Khan. The researcher privately is said to have reported this vulnerability to Xiaomi, but it still hasn't been patched by the company. Xiaomi awarded Khan bug bounty, but decided to leave the issue unpatched. This browser flaw is said to affect only international variants, while China variants are allegedly safe.

The CVE-2019-10875 vulnerability is said to be a spoofing issue inside the address bar that exists because of a flaw in the browsers' interface. The vulnerability is said to exist both in the in-built Mi Browser on Xiaomi devices and in the Mint browser as well. Mint Browser can also be downloaded via Google Play by non-Xiaomi phone users. The Hacker News reports that the flaw can dupe users to thinking that they are visiting a trusted website, when they are actually visiting a site that served phishing or malicious content. This URL spoofing vulnerability allows hackers to bypass basic verifying indicators like URL and SSL.

This vulnerability only affects international variants of both the browsers, and the China variants do not contain this vulnerability. "The thing that struck me most was that only their overseas or, international versions were having this security bug and not their Chinese or, domestic versions. Was it done deliberately thus? Are Chinese device manufacturers intentionally making their OS, applications, and firmware vulnerable for their international users?" Arif told The Hacker News in an emailed statement. Khan has published proof of concept video, and it can be viewed below:

Khan also confirmed to the publication that Xiaomi rewarded him with a bug bounty (marginal amount of $99 for each browser) for reporting the issue that affects millions of users, but has chosen to leave the vulnerability unpatched. We've reached out to Xiaomi for comment on the issue, and will update this space when we hear back.

Android users, especially Xiaomi users, are highly recommended to avoid using the Mi browser. Modern web browsers like Chrome and Firefox should be used on smartphones. Xiaomi phones are immensely popular in India, with the company awarded the No.1 smartphone brand in 2018 by IDC. This vulnerability, and the company's lacklustre approach to resolving it, raises many questions.

Comments

For the latest tech news and reviews, follow Gadgets 360 on X, Facebook, WhatsApp, Threads and Google News. For the latest videos on gadgets and tech, subscribe to our YouTube channel. If you want to know everything about top influencers, follow our in-house Who'sThat360 on Instagram and YouTube.