Xiaomi has trouble permanently patching its browsers against a vulnerability that enables spoofing URLs in a way that is difficult to detect by users.

The flaw affects the international versions of Mint Browser and Mi, the web browser that comes pre-installed on Xiaomi smartphones. It was patched and re-patched, and yet it still persists in the two products that are present on millions of devices.

The company sold 118.7 million smartphones last year. Mint Browser has over 500,000 installs on Google Play.

Cybercriminals leveraging this issue can create more credible phishing attacks with little interaction from the victim. All it takes is to lure them to follow a malicious link.

Patch, bypass, repeat

Security researcher Arif Khan on Friday disclosed that the flaw (CVE-2019-10875) works with both HTTP and HTTPS websites and it could be used to show any domain name in the address bar.

"When you try to open a link with a query portion with that URL, Xiaomi's browsers try to display it as search engines would display it in the search bar," the researcher explains.

Khan says that Xiaomi security team confirmed that the issue was not present on the domestic versions of the two browsers developed by the Chinese electronics manufacturer.

Xiaomi attempted to correct the problem in an updated version of Mint Browser (v1.6.3, released on April 5)  by adding new regular expression rules, but this measure failed.

Using Khan's method, hacker and bug bounty hunter Renwa was able to bypass the fix, as seen in the video demonstration below:

Following this new report, Xiaomi again tried to patch the vulnerability with the release of Mint Browser 1.6.4. However, this counts as another failure at properly fixing CVE-2019-10875.

Third time is not a charm

Today, Renwa shared a new way to bypass the vendor's latest mitigations for URL spoofing in its Mint Browser. The video below shows how the security researcher loaded a Yahoo! page but the address bar indicates the Facebook mobile web page.

While Mint Browser received a lot of attention, its counterpart found on millions of Xiaomi smartphones was last updated on December 3, 2018. This means that the browser continues to be affected by the original URL spoofing vulnerability discovered and reported by Khan.

Although present on over 100 million devices, Mi is likely not the browser of choice of as many users. Still, a large number of Xiaomi smartphone owners may be affected.

Related Articles:

Chrome Enterprise gets Premium security but you have to pay for it

GitLab affected by GitHub-style CDN flaw allowing malware hosting

Google ad impersonates Whales Market to push wallet drainer malware

Cybercriminals pose as LastPass staff to hack password vaults

LabHost phishing service with 40,000 domains disrupted, 37 arrested