Zen Browser Address Bar Spoofing Vulnerability

A vulnerability in the Zen Browser, a Firefox-based browser, allows for address bar spoofing by truncating long hostnames. In versions prior to 1.19.12b, the browser only displayed the attacker-controlled prefix of subdomains, hiding the actual registrable domain. This flaw enables attackers to create long malicious subdomains that mimic trusted brands, misleading users about the true origin of a site. The issue undermines the URL bar's role as a security indicator, creating a phishing and supply-chain attack vector.

Impact

This vulnerability facilitates domain spoofing by only showing the subdomain prefix, which can imitate trusted brands, while hiding the actual domain. This misrepresentation can lead to phishing attacks, such as credential theft, payment fraud, and session hijacking. The vulnerability disrupts the trust users place in their browser to accurately represent website origins, potentially allowing attackers to exploit this trust using free hosting services like GitHub Pages or Vercel.

Reproduction

To reproduce this vulnerability, open a URL with a long subdomain that includes many dashes, such as one that imitates a trusted brand. Observe that the address bar only shows the left portion of the subdomain, omitting the actual registrable domain. This behavior contrasts with how browsers like Chrome handle URL display, ensuring the main domain is always visible to prevent spoofing.

Remediation

Users can update to Zen Browser version 1.19.12b or later, where this vulnerability has been fixed.