Full Disclosure mailing list archives
URL spoofing in UC browser.
From: x ksi <s3810 () pjwstk edu pl>
Date: Sat, 11 Mar 2017 16:55:56 +1100
Hey list. It's possible to spoof an URL in mobile versions (Android) of the UC browser [1][2] via <title> HTML tags. The newest version from gplay (11.2.5.932) and the Meizu [3][4] branded default browser (6.1.301) are affected. And the shocking poc would be: -- <html> <head> <title> https://you_are_safe_here.google.com/ </title> щ(゚Д゚щ </head> </html> -- which results in http://s1m0n.dft-labs.eu/files/meizu/ . References: [1] https://en.wikipedia.org/wiki/UC_Browser [2] http://www.ucweb.com/company/about/ [3] http://www.meizu.com/en/ [4] http://www.themobileindian.com/news/meizu-partners-with-uc-browser-12605 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- URL spoofing in UC browser. x ksi (Mar 14)