Vulnerability in DuckDuckGo allows attackers to launch URL spoofing attacks

• The flaw tracked as CVE-2019-12329 is an address bar spoofing vulnerability that allows the browser’s omnibar to be spoofed.
• DuckDuckGo’s security team concluded that the flaw doesn't need a fix as it 'doesn't seem to be a serious issue' and marked the bug as informative.

A security researcher named Dhiraj Mishra uncovered a flaw in DuckDuckGo Privacy Browser application 5.26.0 for Android that could allow an attacker to launch URL Spoofing attacks.

What is the vulnerability?

The flaw tracked as CVE-2019-12329 is an address bar spoofing vulnerability that allows the browser’s omnibar to be spoofed with the help of a specially crafted JavaScript page which makes use of the setInterval function to reload an URL every 10 to 50 ms.

“The actual magic happens at `fakefunction()` above-crafted javascript file loads the real www.duckduckgo.com in a loop of every 50 ms whereas the inner HTML can be modified accordingly,” the researcher described in his blog.

What is the impact?

Attackers can conduct URL spoofing attacks by exploiting the vulnerability and modifying the URL displayed in the address bar (omnibar) of the vulnerable browser.

By this way, attackers can trick unsuspicious victims to believe that the website they're currently browsing is controlled by a trusted party, while, the site is actually under the control of bad actors.

What’s the conclusion?

Upon discovery, Mishra reported the flaw to DuckDuckGo’s security team through their bug bounty program on the HackerOne bug bounty platform on October 31, 2018.

The security team concluded that the flaw doesn't need a fix as it 'doesn't seem to be a serious issue' and marked the bug as informative, however, they awarded the researcher a swag on November 13, 2018.