Mozilla Foundation Security Advisory 2016-82

Addressbar spoofing with right-to-left characters on Firefox for Android

Announced

August 2, 2016

Reporter

Rafay Baloch

Impact

Moderate

Products

Firefox

Fixed in

Firefox 48

Description

Security researcher Rafay Baloch reported a mechanism to spoof the addressbar in Firefox for Android using right-to-left character sets when combined with left-to-right characters. This can be used to cause only certain portions of the loaded left-to-right character portion of the URL to be displayed, misleading users as to what site is loaded, possibly leading to phishing attacks.

This vulnerability does not affect the desktop version of Firefox.

References

Firefox Mobile Address Bar Spoofing (CVE-2016-5267)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2016-82

Addressbar spoofing with right-to-left characters on Firefox for Android

Description

References