Android Browser – Address Bar and Content Spoofing Vulnerability


Address Bar Spoofing Vulnerability

Google security team themselves state that “We recognize that the address bar is the only reliable security indicator in modern browsers” and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.

Few months ago it discovered an address bar spoofing vulnerability affecting Android Stock Browser on all Android versions. The tests were carried out on Android Lollipop and later were confirmed on prior versions.

The issue is caused due to the fact that the browser fails to handle 204 error “No Content” responses when combined with event and therefore allowing us to spoof the address bar.

Steps To Reproduce

1) Visit with Unpatched Android Stock Browser.

2) click the “Click here to be redirected” button

3) Android browser will open a new tab with the browser pointing to “” in the address bar, which makes the victim believe that they are infact visiting a legitimate website, however in reality the page is not hosted on 

4) As soon as the victim enters his/her credentials, they are sent to

Note: Please visit for unrendered version of the POC.

Proof of Concept

The following is a screenshot of Samsung Galaxy S5 running latest android stock browser, as you may notice that the address bar points to (Which returns a 204 response), which makes the user believe that he is infact visiting a legitimate site however it’s hosted on attacker’s domain name. 

Notes: Joe Vennix suggests that you might have to play with my timeout value , and he found 1500 – 2000 to work much more consistently. This issue is due to the fact that, In case if the timeout fires too soon (before the NO CONTENT response is received from, the new page will just have a blank URL bar.


The proof of concept was initially created by “Rafay Baloch”, however it was later modified and improvised by “Joe Vennix” and “Tod Beardsley” from Rapid7 team handling the disclosure.


The Android security team has responded by releasing patches committed to both Kitkat and Lollipop main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems.”

Kitkat Content Spoofing Vulnerability

The following is a low risk vulnerability that was found few months ago while testing the latest Android Stock browser on Android Kitkat. The issue that was found is commonly referred as Content spoofing Vulnerability or dialog box spoofing vulnerability which could be used to fake an alert message on a legitimate website.

In other words, we could display an alert box (Of our choice) on the site of our choice. Whereas in chrome, Firefox and other browser the alert box appears on correct tab.


<a onclick=”test()”>CLICK</a>
<script> function test()
{‘’) setTimeout (function(){alert(“HACKED”);}, 5000) }

Upon executing the above code, the alert box would be displayed on


Technical Details

The issue resides inside of the ASOP browser, and more specifically due to the fact the webview fails to overwrite the WebChromeClient.onJsAlert() method which is responsible for displaying the javascript alert box and this way webview is not able to switch the JsAlert() to the correct tab.

Sharing is caring!

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search above and press enter to search. Press ESC to cancel.

Back To Top

So glad to see you sticking around!

Want to be the first one to receive the new stuff?

Enter your email address below and we'll send you the goodies straight to your inbox.

Thank You For Subscribing

This means the world to us!

Spamming is not included! Pinky promise.