[BUG] Address bar truncation hides registrable domain leading to URL spoofing risk
Aloha Browser (v8.3.1) improperly truncates long URLs in the address bar, hiding the registrable domain and showing only the beginning of the URL.
An attacker can craft a malicious URL such as:
https://trusted-site.com.attacker-domain.com
Due to truncation, users may only see trusted-site.com, leading to false trust and potential phishing or credential theft.
This behavior violates standard secure URL display practices where the registrable domain must remain visible.
Steps to Reproduce
- Open Aloha Browser (v8.3.1)
- Visit:
https://long-extended-subdomain-name-containing-many-letters-and-dashes.badssl.com/ - Observe the address bar
- Notice the URL is truncated from the right and actual domain is not clearly visible
Impact
- URL spoofing / confusion
- Phishing risk
- Users may trust malicious domains
References (Optional but Recommended)
Files:
alohabrowser-bu...
Hi, thanks for the report.
What you’re seeing is the normal behavior of the address bar when a URL is longer than the available space. The text fades at the edge instead of wrapping.
You can view the full address by tapping the address bar or scrolling horizontally within it.
Based on the screenshot, this does not appear to be a rendering bug.
Hi, thanks for the report.
What you’re seeing is the normal behavior of the address bar when a URL is longer than the available space. The text fades at the edge instead of wrapping.
You can view the full address by tapping the address bar or scrolling horizontally within it.
Based on the screenshot, this does not appear to be a rendering bug.
Replies have been locked on this page!