Pakistani ethical hacker, Rafay Baloch, receives a $5,000 bounty for exposing Chrome, Firefox address bar flaw

22 Aug

By Maryam Dodhy

Pakistani ethical hacker, Rafay Baloch, has exposed a vulnerability in Chrome and Firefox which essentially says that the way these browsers render website addresses could expose users to malicious websites that otherwise appear to be legitimate.

On Tuesday, Rafay Baloch published a blog on his website where he explained the address-bar spoofing bug. The bug could allow a hacker to trick the user by displaying a spoofed page for an invalid URL.

“Google security team themselves state that ‘We recognize that the address bar is the only reliable security indicator in modern browsers’ and if the only reliable security indicator could be controlled by an attacker it could carry adverse effects. For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is a legitimate website as the address bar points to the correct website. ”

This has earned him a $5000 bug bounty.

This address bar spoofing flaw works because several languages like Arabic and Hebrew are written from right to left. Due to mishandling of several Unicode characters and how they are rendered with a first strong character, let’s say, an IP address or an alphabet could lead to a spoofed URL. Rafay spotted this bug by placing neutral characters such as “/”, “ا” in the file path which, according to him, causes the URL to be flipped.

For example,ا/ would instead appear in the browser bar asا/ This means that a person clicking on the link would assume to be going to but the site would actually display data from You can read about it in detail here.

According to Rafay, this vulnerability exists in some other browsers as well who are currently undergoing a fix which is why he refrained from mentioning them. However, Chrome and Firefox appear to have fixed the bug on his timely discovery and indication.

Rafay Baloch is a pretty accomplished penetration tester. Finding a bug with PayPal back in 2012, he managed to get a USD 10,000 bounty. In 2014, his work on a bug in Android got featured with Forbes and BBC. He also got featured on our 25 UNDER 25.

Editing by Muneeb Ahmad



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: