The web browser apps created by Xiaomi, MI browser and the Mint browser are highly vulnerable which has not yet been patched.
Those users of a Xiaomi’s Mi or Redmi smartphone are recommended to stop using these browsers which are also available on Google Play Store for non-Xiaomi Android devices.
The vulnerability was found by the security researcher Arif Khan, and it has been named as CVE-2019-10875. This flaw is a browser address bar spoofing issue that originates because of a logical flaw in the browser’s interface, permitting a malicious website to control URLs displayed in the address bar.
The affected browsers are not properly handling the “q” query parameter in the URLs, thus failing to display the portion of an https URL before the ?q= substring in the address bar.
The address bar of a web browser is the most reliable and essential security indicator and so the flaw can be used to easily trick Xiaomi users making them believe that they are visiting a trusted website. But the actual thing is that they are being served with a phishing or malicious content.
Nowadays the phishing attacks are more advanced and very difficult to spot, and this URL spoofing vulnerability takes it to another level. It permits one to bypass basic indicators like URL and SSL, the two things normally checked by a user to determine if a site is fake.
It has been confirmed that the vulnerability works on the latest versions of both web browsers—MI Browser (v10.5.6-g) and Mint Browser (v1.5.3).
It is interesting to note that this issue affects only the international variants of both the web browsers and the domestic or Chinese versions does not exhibit this vulnerability.
It is also amusing to note that the issue has already been reported to the company for which they have rewarded the researcher with a bug bounty, but had left the vulnerability unpatched.
The vulnerability affected millions of users worldwide and still the bounty offered was, $99 (for Mi Browser) and another $99 (for Mint Browser).
There has been no official response from the company regarding issuing patches for the flaw.
Recently another severe issue was disclosed in pre-installed apps of more than 150 million Android devices manufactured by Xiaomi. In that issue, it was possible for an attacker to turn a pre-installed security app on Xiaomi phones, called Guard Provider, into malware by exploiting multiple vulnerabilities in the app.
It is highly recommended that the Android users must use web browsers such as Chrome or Firefox that are not affected by this vulnerability.