Be cautious if you are one of the users of the Xiaomi’s Mi or Redmi smartphone as you would immediately need to update its built-in MI browser or the Mint browser that is available on Google Play Store for the non- Xiaomi Android devices. This is all because both the web browser apps that has been created by Xiaomi are all vulnerable to a critical vulnerability that has not yet been patched even after was reported to the company privately. The vulnerability has been identified as CVE-2019-10875 and was discovered by the security researcher Arif Khan.
The vulnerability is a browser address bar spoofing issue that originates due to a logical flaw in the interface of the browser that permits a malicious website to control the URLs that are displayed in the address bar. As per the advisory, the affected browsers are not being able to properly handle the ‘q’ query parameter in the URLs, thus failing to display the portion of an https URL before the “?q=” substring in the address bar.
The researcher has confirmed that the issue only affects the international variants of both the web browsers, although the domestic versions that are distributed with Xiaomi smartphones in China do not contain this vulnerability and hence are safe from the attack. The most amazing thing after the discovery of the vulnerability is that upon reporting the issue, Xiaomi has rewarded the researcher with a bug bounty but has left the vulnerability un-patched. A spokesperson from the Xiaomi (China based organization) team has confirmed that the publicly disclosed vulnerability has recently been patched in the latest version of both the browser apps. He stated that the bug was a result of an additional functionality to improve the user experience by hiding the URL and only displaying the search term.