It has been reported that Xiaomi browsers are still vulnerable after failed patches. Xiaomi has trouble permanently patching its browsers against a vulnerability that enables spoofing URLs in a way that is difficult to detect by users. The flaw affects the international versions of Mint Browser and Mi, the web browser that comes pre-installed on Xiaomi smartphones. It was patched and re-patched, and yet it still persists in the two products that are present on millions of devices.
Here’s how attackers can spoof URLs on Mint or MI Browser:
Just add "?q=" parameter after any URL following the targeted domain,
Example → https://t.co/WyxUCwg8OO
Xiaomi browsers will display “🔒https://t.co/oMypZM6lQW” in the URL while loading the content from phishing site. pic.twitter.com/Ex6u4cxNRY
— The Hacker News (@TheHackersNews) April 5, 2019
Did you switch to lineageos or any its forks ?
"Xiaomi Browsers Still Vulnerable After Failed Patches"
Maybe you should, or at least use another browser like Firefox or palemoon for now 🙂
#cybersecurity https://t.co/1FpTPymbbD— tresronours cybersec (@tresronours) April 9, 2019
Anjola Adeniyi, Technical Leader at Securonix:
“This takes phishing to another level and bypasses the obvious things users rely on like URL and SSL. That only their international versions have this security bug and not their Chinese versions is rather concerning, to say the least.
This is made worse as China continues to emerge as pre-eminent in numerous areas of technology, and we’ve seen such debates in relations to Huawei and 5G. President Xi Jinping has explicitly set a goal, with a well-funded plan, for China to lead the world in AI and other advanced technologies by 2030.
Following this sort of issue, Android users are advised to use web browsers that are not affected by this vulnerability, such as Chrome or Firefox.”
About the Author
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.
