Android Browser All Versions – Address Bar Spoofing Vulnerability

Google security team themselves state that “We recognize that the address bar is the only reliable security indicator in modern browsers” and if the only reliable security indicator could be controlled by an attacker it could carry adverse affects, For instance potentially tricking users into supplying sensitive information to a malicious website due to the fact that it could easily lead the users to believe that they are visiting is legitimate website as the address bar points to the correct website.

Android Stock Browser Address Bar Spoofing

 Few months ago i discovered an address bar spoofing vulnerability affecting Android Stock Browser on all Android versions. The tests were carried out on Android Lollipop and later were confirmed on prior versions.
The issue is caused due to the fact that the browser fails to handle 204 error “No Content” responses when combined with event and therefore allowing us to spoof the address bar.

Steps To Reproduce

1) Visit with Unpatched Android Stock Browser.
2) click the “Click here to be redirected” button
3) Android browser will open a new tab with the browser pointing to “” in the address bar, which makes the victim believe that they are infact visiting a legitimate website, however in reality the page is not hosted on
4) As soon as the victim enters his/her credentials, they are sent to
Note: Please visit for unrendered version of the POC.

Proof of Concept

The following is a screenshot of Samsung Galaxy S5 running latest android stock browser, as you may notice that the address bar points to (Which returns a 204 response), which makes the user believe that he is infact visiting a legitimate site however it’s hosted on attacker’s domain name.
Notes: Joe Vennix suggests that you might have to play with my timeout value , and he found 1500 – 2000 to work much more consistently. This issue is due to the fact that,  In case if the timeout fires too soon (before the NO CONTENT response is received from, the new page will just have a blank URL bar.


The proof of concept was initially created by Rafay Baloch, however it was later modified and improvised by “Joe Vennix“. I would like to sincerely thank “Tod Beardsley” from Rapid7 team for handling the disclosure for me. Kudos!


The Android security team has responded by releasing patches committed to both Kitkat and Lollipop main distributions. Users are advised to contact their carriers to determine if they have received updated versions of these operating systems.”The model is talking about booking her latest gig, modeling WordPress underwear in the brand latest Perfectly Fit campaign, which was shot by Lachian Bailey. It was such a surreal moment cried she admitted.