Mobile browsers of Chrome, Firefox, and Safari failed to warn phishing attacks for over a year

• An academic research project revealed that the mobile browsers, from mid-2017 to the end of 2018, did not alert users about phishing pages.
• Browsers that used the Google Safe Browsing blacklist service were the ones impacted.

It has been discovered that mobile applications of Chrome, Firefox, and Safari were not warning users of impeding phishing attacks from dangerous websites. A research project put forth by academics from Arizona State University in collaboration with PayPal unearthed the issue.

The project -- dubbed as PhishFarm, found that the Google Safe Browsing(GSB) blacklist service used in these browsers had a flawed functionality which led to the issue.

What is PhishFarm?

• PhishFarm project tested multiple phishing-blacklisting services such as GSB, Microsoft SmartScreen, APWG, PayPal and Phishtank, starting from mid-2017.
• The tests included ‘cloaking’ phishing sites with PayPal login page and analyzed how these services fared to counter phishing. A total of 2,380 phishing sites were deployed for the tests.
• The team employed six cloaking techniques in the test. It was observed that GSB failed to identify phishing sites for certain cloaking techniques.
• They noticed that a new API in GSB led to the improper blacklisting in the service. “We learned that the inconsistency in mobile GSB blacklisting was due to the transition to a new mobile API designed to optimize data usage, which ultimately did not function as intended,” said the team.

Issue rectified soon

After the PhishFarm team concluded the tests, they contacted Google as well as Mozilla. Google rectified the issue in GSB by the end of 2018.

“As a result, in mid-September 2018 Mozilla patched Firefox (from version 63) such that all desktop warnings were also shown on mobile. Google followed suit days thereafter with a GSB API fix that covered mobile GSB browsers retroactively; mobile Chrome and Safari now mirror desktop listings,” told the team.