Open redirect due to scanning QR code via Aloha Browser
The Aloha Browser's built-in QR code scanner is vulnerable to an Open Redirect vulnerability. The scanner fails to properly validate or sanitize the URL encoded within a QR code before execution. An attacker can craft a malicious QR code that, when scanned by the user, automatically redirects them to an external, untrusted domain without their consent or knowledge. This can be leveraged for phishing attacks, credential theft, or distributing malware by exploiting the user's trust in the browser's utility.
Video PoC : https://drive.google.com/file/d/1WhHu8MqRgASrhqwmaa9pn61FdlHAooBR/view?usp=sharing
Good day,
Thank you for the report and the PoC video.
We reviewed the behavior and currently do not consider this an Open Redirect vulnerability. The QR scanner opens the exact URL encoded in the QR code and does not alter or redirect it internally. Scanning also requires explicit user interaction.
In addition, users still benefit from standard browser protections such as HTTPS and SSL certificate validation before interacting with a website.
That said, we understand the phishing concerns around malicious QR codes and will discuss internally whether additional warnings or UX improvements make sense.
Kind Regards,
Aloha Team
Join Aloha
Good day,
Thank you for the report and the PoC video.
We reviewed the behavior and currently do not consider this an Open Redirect vulnerability. The QR scanner opens the exact URL encoded in the QR code and does not alter or redirect it internally. Scanning also requires explicit user interaction.
In addition, users still benefit from standard browser protections such as HTTPS and SSL certificate validation before interacting with a website.
That said, we understand the phishing concerns around malicious QR codes and will discuss internally whether additional warnings or UX improvements make sense.
Kind Regards,
Aloha Team
Join Aloha
Replies have been locked on this page!