Each year, phishing continues to be a remarkably common and successful tactic employed by malicious actors to compromise user credentials. While individuals are generally educated to recognize the common indicators of phishing attempts, many depend on meticulously checking the website address displayed in their browser’s address bar to verify a site’s authenticity.

However, even the built-in anti-phishing protections offered by web browsers – frequently the final safeguard for potential victims – are not foolproof.

Security investigator Rafay Baloch identified multiple security flaws within several popular mobile browsers – including Apple’s Safari, Opera, and Yandex – that, if leveraged, could enable an attacker to manipulate the browser into presenting a web address different from the actual website being visited. These address bar deception vulnerabilities significantly simplify the process for attackers to make their fraudulent pages appear as legitimate websites, thereby creating ideal circumstances for password theft.

These vulnerabilities function by taking advantage of a timing issue during a vulnerable browser’s web page loading process. After a user is deceived into clicking a link from a phishing email or text message, the deceptive webpage utilizes hidden code to effectively substitute the malicious web address in the browser’s address bar with any address chosen by the attacker.

In certain instances, the vulnerable browser continued to display the green padlock icon, falsely indicating that the malicious webpage with the altered address was secure and trustworthy.

“Mobile devices have limited screen real estate, so every small amount of space is crucial. Consequently, there isn’t much room for displaying security indicators,” Beardsley explained to TechCrunch. “On a desktop browser, users can examine the link, hover over it to preview the destination, or click the lock icon to view certificate details. These additional verification methods are generally unavailable on mobile, meaning the location bar must clearly and reliably inform the user of the website they are visiting. If you are directed to palpay.com instead of the legitimate paypal.com, you should be able to recognize this discrepancy and avoid entering your password.”

“These types of spoofing attacks introduce ambiguity to the location bar, and consequently, allow an attacker to establish a degree of credibility for their fraudulent site,” he stated.

Baloch and Beardsley reported that the browser manufacturers’ responses varied.

To date, only Apple and Yandex have released updates to address the issues, doing so in September and October. Opera representative Julia Szyndzielorz indicated that fixes for Opera Touch and Opera Mini are “being rolled out progressively.”

However, the developers of UC Browser, Bolt Browser, and RITS Browser – collectively installed on over 600 million devices – did not respond to the researchers and have left the vulnerabilities unresolved.

TechCrunch contacted each browser vendor, but none offered a comment before this article was published.