Mobile Browsers’ Google Safe Browsing Flaw In 2018 Revealed

Mobile Browsers’ Google Safe Browsing Flaw In 2018 Revealed

Google Safe Browsing system has been implemented by the Google search engine for more than a decade now, designed to block known websites harboring malware or phishing attempts against visitors. It is very efficient, given that Google has the most advanced web crawlers that index the web, marking as websites with harmful contents with a nag screen, stopping the user from ever visiting the malicious websites in the process.

Unfortunately, browser makers such as Mozilla, Apple and even Google failed to check browser’s iOS and Android variants for Safe Browsing compatibility, which was broken for mobile browsers at least a year from July 2017 to the last Quarter of 2018. The shocking revelation was the result of the research conducted by Paypal in partnership with Arizona State University’s academic researchers. This means that the Firefox, Safari and Chrome/Chromium browsers for Android/iOS for more than a year inadvertently exposed users to some malicious sites, as the Google Safe Browsing was broken under the mobile browser variants.

The research team from Arizona State University and Paypal used an internal project in prototype form from 2017-2018 timeframe to detect the effectiveness of automation with securing Internet users. The project was dubbed PhishFarm, under the project, a controlled environment where the research team deliberately established 2,380 genuine-looking PayPal website and allowed a certain number of “test victims” visit these websites for their “busy workloads”.

The normal behavior for a Google Safe Browsing-aware browser to check Google if the website has no known malicious elements, however, this only works on desktop-based browsers not with their mobile counterparts. That means that mobile users are exposed to malicious websites that are actually blocked by Google Safe Browsing system during the above mentioned time frame.

“We found that simple cloaking techniques representative of real-world attacks- including those based on geolocation, device type, or JavaScript- were effective in reducing the likelihood of blacklisting by over 55% on average,” explains the research team.

With the rapid growth of web browsing through mobile devices, the propensity of users to use the default web browsers installed in their mobile devices greatly increases the risks of users encountering malicious executables and phishing websites. Microsoft’s SmartScreen, a competing service works on all variants of Microsoft Edge browser, both for the desktop operating systems and with Android.

“Following disclosure of our findings, anti-phishing entities are now better able to detect and mitigate several cloaking techniques (including those that target mobile users), and blacklisting has also become more consistent between desktop and mobile platforms— but work remains to be done by anti-phishing entities to ensure users are adequately protected,” added the research team.

In 2019, new versions of mobile Firefox, Safari and Chrome/Chromium has a working Google Safe Browsing system. The browser vendors were able to make the necessary adjustments on how to implement the safe browsing system within their products on the mobile platform. Unfortunately, the statistics of how many mobile users were bitten by a phishing page or received malware due to non-working safe browsing system from last year was not disclosed by any of the browser vendors.

Also, Read:

Google to Block Sign-ins from Embedded Browser Frameworks

Migrate to Tor Browser 8.0, Version 7.x Has Zero-Day Exploit

Microsoft Releases First Preview Builds of Edge Browser

All Browser Vendors Unite: Goodbye to TLS 1.0 and 1.1 on 2020

Julia Sowells886 Posts

Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.

0 Comments

Leave a Comment

Login

Welcome! Login in to your account

Remember me Lost your password?

Don't have account. Register

Lost Password
Register