Address bar spoofing via <title> on aloha browser android

Hi team,

I found an address bar spoofing issue related to how Aloha Browser displays the page <title>. At first, I was just testing how my website looks on different browsers, and I noticed that Aloha Browser only shows the <title> in the address bar instead of the actual website origin. This can be confusing for users.

In most modern browsers like Arc, Edge, Safari, and Chrome, the address bar shows the website origin. However, in Aloha Browser, the origin is hidden and only the title is shown. Because of this, an attacker could spoof the title and make users believe they are visiting a trusted website.

Proof of concept ( https://heloworld285.github.io/spoof36 )

[Code.png]

Impact

From this poc shows that users can easily be misled into believing they are accessing a trusted source, which opens the door to attacks such as credential harvesting, account takeover, and impersonation

Remediation this issues

As a mitigation, the browser should prioritize displaying the website origin rather than the page title to prevent spoofing