Address Bar Spoofing in Contemporary Web Browsers: A Taxonomy, Exploitation Study, and Mitigation Guidelines
DOI:
https://doi.org/10.21928/uhdjst.v9n2y2025.pp335-345Keywords:
Address Bar Spoofing, Web Browser Security, Phishing, URL Spoofing, UI Security, Vulnerability Taxonomy, Cyber SecurityAbstract
The browser address bar is the cornerstone of user trust and web security. Despite advancements, address bar spoofing remains a persistent threat, enabling attackers to make malicious URLs appear legitimate. This paper presents an extensive investigation into address bar spoofing vulnerabilities across modern desktop and mobile browsers. We introduce a comprehensive taxonomy classifying over 15 distinct spoofing techniques, many of which are novel. Across systematic testing, over 70 vulnerabilities were identified and responsibly disclosed, resulting in patches across more than 15 browsers. These findings are enumerated in this paper for verification. This research analyzes the root causes of these vulnerabilities, highlighting common pitfalls in URL parsing, display logic, and UI state management. Based on our findings, we propose a robust mitigation framework and best practices for browser developers, alongside actionable advice for users. Our findings underscore the ongoing challenge of maintaining address bar integrity and the critical need for continuous vigilance in browser security. A public repository documents these findings to aid further research.
References
StationX, “Phishing Statistics”, 2024. Available from: https://www. stationx.net/phishing-statistics [Last accessed on 2025 Jul 10].
“Trend Micro. Address Bar Spoofing.” Available from: https://www. trendmicro.com/vinfo/us/security/definition/address-bar-spoofing [Last accessed on 2025 Jul 10].
R. Ismael. “Address Bar Spoofing. GitHub Repository,” 2025. Available from: https://github.com/renwax23/address_bar_spoofing [Last accessed on 2025 Jul 10].
Chromium. “Guidelines for URL Display.” Available from: https:// chromium.googlesource.com/chromium/src/+/HEAD/docs/ security/url_display_guidelines/url_display_guidelines.md [Last accessed on 2025 Jul 10].
Y. Koster. “Address Bar Spoofing flaw in Internet Explorer,” 2004. Available from: https://www.akitasecurity.nl/advisory/AK20040801/ address_bar_spoofing_flaw_in_internet_explorer.html [Last accessed on 2025 Jul 10].
L. Treiber. “Google Chrome HTTPS Address Bar Spoofing,” 2012. Available from: https://blog.acrossecurity.com/2012/01/google-chrome-https-address-bar.html [Last accessed on 2025 Jul 10].
C. Weber. “Unicode Security Guide - Visual Spoofing,” 2014. Available from: https://cweb.github.io/unicode-security-guide/ visual-spoofing
R. Baloch. “Bypassing Mobile Browser Security for Fun and Profit. In: Presented at BlackHat Asia,” 2016.
“Chromium. Chromium Trickuri GitHub Repo,” 2019. Available from: https://github.com/chromium/trickuri [Last accessed on 2025 Jul 10].
R. Baloch. “Multiple Address Bar Spoofing Vulnerabilities in Mobile Browsers,” 2020. Available from: https://www.rafaybaloch. com/2020/10/multiple-address-bar-spoofing-vulnerabilities.html
Skylot, “Jadx GitHub Repo.” Available from: https://github.com/ skylot/jadx [Last accessed on 2025 Jul 10].
M. Bentkowski. Address Bar Spoofing in Chrome and Firefox, 2017. Available from: https://research.securitum.com/address-bar-spoofing-in-chrome-and-firefox-description-of-cve-2017-5089- and-cve-2017-7763 [Last accessed on 2025 Jul 10].
E. Law. “The Line of Death,” 2017. Available from: https:// textslashplain.com/2017/01/14/the-line-of-death [Last accessed on 2025 Jul 10].
A. N. Joinson, U. D. Reips, T. Buchanan and C. B. P. Schofield. “Privacy, trust, and self-disclosure online.” Human-Computer Interaction, vol. 25, no. 1, pp. 1-24, 2010.
K. Yee. “Aligning security and usability.” IEEE Security and Privacy, vol. 2, no. 5, pp. 85-88, 2004.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Renua Hiwa Ismael, Jaza Mahmood Abdullah
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
