[BUG] Address bar truncation hides registrable domain leading to URL spoofing risk
Aloha Browser (v8.3.1) improperly truncates long URLs in the address bar, hiding the registrable domain and showing only the beginning of the URL.
An attacker can craft a malicious URL such as:
https://trusted-site.com.attacker-domain.com
Due to truncation, users may only see trusted-site.com, leading to false trust and potential phishing or credential theft.
This behavior violates standard secure URL display practices where the registrable domain must remain visible.
Steps to Reproduce
- Open Aloha Browser (v8.3.1)
- Visit:
https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ - Observe the address bar
- Notice the URL is truncated from the right and actual domain is not clearly visible
Impact
- URL spoofing / confusion
- Phishing risk
- Users may trust malicious domains
References (Optional but Recommended)
Files:
alohabrowser-bu...
Replies have been locked on this page!