Arif Khan, an independent security researcher has recently discovered an issue on Xiaomi Browsers including Mi Browser and recently launched Mint Browser. The vulnerability (CVE-2019-10875) was found to be present in Global version of these browsers and not on the Chinese version, which as per the researcher might be intentional.
How was the vulnerability discovered?
The researcher says that it was an accidental discovery, and it didn’t require much effort. He decided to test a certain feature in Mi Browser which was behaving abnormally than expected.
As per the researcher, it was discovered when he tried to open a Google query search link through Mi Browser, and it tried to display only the ‘search query’ in the URL address bar. As per him, it takes almost 0 user interactions user to exploit. When you try to open a link with a query portion with that URL, Xiaomi’s browsers try to display it as search engines would display it in the search bar, but the URL bar doesn’t display the full URL, and this not only happens in case of popular search engine websites but also with other websites.
Mi Security team (MiSRC) acknowledged the vulnerability and Researcher got the reward!
As per Khan, Mi Security team has accepted the security issue found by him and the researcher was awarded $198 bounty rewards for reporting the issue on both the browsers ($99 for each).
How does it affect you?
If Mi Browser is the default browser on your devices, then your device is vulnerable for phishing attacks because of the issue that is discovered. The issue make it quite feasible to execute successful phishing and ad campaigns on Mi devices.
What you should do to remain unaffected?
You should avoid using these browsers at least until Xiaomi team patch the vulnerability, you can change the default browser on your smartphone and use browsers like Google Chrome or Mozilla Firefox. You can also uninstall the Mi Browser or Mint Browser using this tutorial.