- The flaw tracked as CVE-2019-12329 is an address bar spoofing vulnerability that allows the browser’s omnibar to be spoofed.
- DuckDuckGo’s security team concluded that the flaw doesn't need a fix as it 'doesn't seem to be a serious issue' and marked the bug as informative.
A security researcher named Dhiraj Mishra uncovered a flaw in DuckDuckGo Privacy Browser application 5.26.0 for Android that could allow an attacker to launch URL Spoofing attacks.
What is the vulnerability?
What is the impact?
Attackers can conduct URL spoofing attacks by exploiting the vulnerability and modifying the URL displayed in the address bar (omnibar) of the vulnerable browser.
By this way, attackers can trick unsuspicious victims to believe that the website they're currently browsing is controlled by a trusted party, while, the site is actually under the control of bad actors.
What’s the conclusion?
Upon discovery, Mishra reported the flaw to DuckDuckGo’s security team through their bug bounty program on the HackerOne bug bounty platform on October 31, 2018.
The security team concluded that the flaw doesn't need a fix as it 'doesn't seem to be a serious issue' and marked the bug as informative, however, they awarded the researcher a swag on November 13, 2018.